1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PC frequently hanging & blue screen of death

Discussion in 'Virus & Other Malware Removal' started by Miche, Jan 15, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    Hello. Thank you in advance.

    My PC's symptoms include:
    -I've now also had blue screen of death/restart three times in the past few weeks, including twice tonight.
    -sluggish startup - takes approx 3 mins after login for a browser to finally open;
    -various unrelated programs (both on & offline) hanging on "not responding" for 10-30 seconds upon opening, and often eventually crashing;
    -flash crashing often in browser;
    -rare, but some website links don't action upon click (I have to rightclick "open in new window");
    -both firefox and chrome have hanging issues on sites such as BBC



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:19:26 PM, on 15/01/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17514)
    Boot mode: Normal

    Running processes:
    C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\ApVxdWin.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavBckPT.exe
    C:\Users\Miche\Downloads\HijackThis.exe
    C:\windows\SysWOW64\DllHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.ca/welcome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.ca/welcome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Presented by TOSHIBA Leading Innovation >>>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=c:\windows\syswow64\userinit.exe,
    O1 - Hosts: ::1 localhost #[IPv6]
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    O2 - BHO: IE5BarLauncherBHO Class - {78F3A323-798E-4AEA-9A57-88F4B05FD5DD} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: StartSearchToolBar - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
    O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\Inicio.exe"
    O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
    O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    O15 - Trusted Zone: http://*.broadband.o2.co.uk
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    O23 - Service: ConfigFree Gadget Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
    O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsCtrls.exe
    O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files (x86)\Common Files\Panda Security\PavShld\pavprsrv.exe
    O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\program files (x86)\panda security\panda internet security 2012\firewall\PSHOST.EXE
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsImSvc.exe
    O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PskSvc.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
    O23 - Service: TOSHIBA Modem region select service (RSELSVC) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\rselect\RSelSvc.exe
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\windows\system32\TODDSrv.exe (file missing)
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
    O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)

    --
    End of file - 15191 bytes












    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_37
    Run by Miche at 19:21:22 on 2013-01-15
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3933.2342 [GMT 0:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: Panda Internet Security 2012 *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Panda Internet Security 2012 *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Panda Personal Firewall 2012 *Enabled* {BEAC95A5-D3E6-6608-9A7D-C12F7882CA22}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\system32\svchost.exe -k NetworkService
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PskSvc.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\windows\System32\spoolsv.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\windows\system32\taskeng.exe
    C:\windows\system32\taskhost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsCtrls.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe
    C:\Program Files (x86)\Common Files\Panda Security\PavShld\pavprsrv.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\AVENGINE.EXE
    c:\program files (x86)\panda security\panda internet security 2012\firewall\PSHOST.EXE
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsImSvc.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\windows\system32\igfxsrvc.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\igfxext.exe
    C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\ApVxdWin.exe
    C:\windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
    C:\Program Files\TOSHIBA\rselect\RSelSvc.exe
    C:\windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\SRVLOAD.EXE
    C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavBckPT.exe
    C:\Users\Miche\Downloads\HijackThis.exe
    C:\windows\SysWOW64\NOTEPAD.EXE
    C:\windows\system32\taskeng.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.toshiba.ca/welcome
    uWindow Title = Presented by TOSHIBA Leading Innovation >>>
    uDefault_Page_URL = hxxp://www.toshiba.ca/welcome
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSCA&bmod=TSCA
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSCA&bmod=TSCA
    uProxyOverride = <local>
    mSearchAssistant = hxxp://start.facemoods.com/?a=bf&s={searchTerms}&f=4
    mWinlogon: Userinit = c:\windows\syswow64\userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: IE5BarLauncherBHO Class: {78F3A323-798E-4AEA-9A57-88F4B05FD5DD} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    TB: StartSearchToolBar: {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    TB: StartSearchToolBar: {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - C:\Program Files (x86)\StartSearch plugin\ssBarLcher.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    mRun: [SVPWUTIL] "C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
    mRun: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun: [APVXDWIN] "C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\APVXDWIN.EXE" /s
    mRun: [SCANINICIO] "C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\Inicio.exe"
    mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4} : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}\05050234F657E64797028416C6C6027457563747 : DHCPNameServer = 8.8.4.4
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}\244564F4E4 : DHCPNameServer = 192.168.22.22 192.168.22.23
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}\2445F40756E6A7F6E656 : DHCPNameServer = 192.168.22.22 192.168.22.23
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}\2454C4C4733363 : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}\351627168662A4F686E6 : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}\E656773727F6F6D6 : DHCPNameServer = 192.168.2.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-mStart Page = hxxp://www.toshiba.ca/welcome
    x64-mDefault_Page_URL = hxxp://www.toshiba.ca/welcome
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [IgfxTray] "C:\windows\System32\igfxtray.exe"
    x64-Run: [HotKeysCmds] "C:\windows\System32\hkcmd.exe"
    x64-Run: [Persistence] "C:\windows\System32\igfxpers.exe"
    x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
    x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
    x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
    x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
    x64-Run: [TosSENotify] "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe"
    x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
    x64-DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.cn/download/SOPCORE.CAB
    x64-DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Notify: avldr - avldr64.dll
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 ads.mcafee.com
    Hosts: 127.0.0.1 analytics.microsoft.com
    Hosts: 127.0.0.1 metrics.bitdefender.com
    Hosts: 127.0.0.1 metrics.mcafee.com
    Hosts: 127.0.0.1 om.symantec.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npvsharetvplg.dll
    FF - plugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll
    FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
    FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
    FF - plugin: C:\windows\SysWOW64\npmproxy.dll
    FF - plugin: C:\windows\SysWOW64\NPSWF32.dll
    FF - ExtSQL: 2012-12-04 17:09; [email protected]; C:\Program Files\AVAST Software\Avast\WebRep\FF
    FF - ExtSQL: 2012-12-17 13:52; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - ExtSQL: 2013-01-07 20:22; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 pavboot;Panda boot driver;C:\windows\System32\drivers\pavboot64.sys [2012-12-19 30792]
    R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2009-11-21 482384]
    R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2012-12-4 984144]
    R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2012-12-4 370288]
    R1 ShldFlt;Panda File Shield Driver;C:\windows\System32\drivers\ShldFlt.sys [2012-12-19 48136]
    R2 AmFSM;AmFSM;C:\windows\System32\drivers\amm6460.sys [2012-12-19 65608]
    R2 APPFLT;App Filter Plugin;C:\windows\System32\drivers\APPFLT64.SYS [2012-12-19 129096]
    R2 aswFsBlk;aswFsBlk;C:\windows\System32\drivers\aswFsBlk.sys [2012-12-4 25232]
    R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2012-12-4 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-12-4 44808]
    R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-7-18 181616]
    R2 ComFiltr;Panda Anti-Dialer;C:\windows\System32\drivers\COMFiltr.sys [2012-12-19 15928]
    R2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-7-15 42368]
    R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-11 46448]
    R2 DSAFLT;DSA Filter Plugin;C:\windows\System32\drivers\dsaflt64.sys [2012-12-19 82952]
    R2 Fabs;FABS - Helping agent for MAGIX media database;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2011-5-24 1840128]
    R2 FNETMON;NetMon Filter Plugin;C:\windows\System32\drivers\fnetm64.sys [2012-12-19 31752]
    R2 IDSFLT;Ids Filter Plugin;C:\windows\System32\drivers\idsflt64.sys [2012-12-19 78920]
    R2 NETFLTDI;Panda Net Driver [TDI Layer];C:\windows\System32\drivers\NETTDI64.SYS [2012-12-19 170504]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-20 14472]
    R2 WNMFLT;Wifi Monitor Filter Plugin;C:\windows\System32\drivers\wnmflt64.sys [2012-12-19 74760]
    R3 ffusb2audio;Focusrite USB 2.0 Audio Driver;C:\windows\System32\drivers\ffusb2audio.sys [2013-1-7 125304]
    R3 NETIMFLT01060044;PANDA NDIS IM Filter Miniport v1.6.0.44;C:\windows\System32\drivers\n64i1644.sys [2012-12-19 216648]
    R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2009-11-21 35008]
    R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2009-11-21 215040]
    R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\System32\drivers\rtl8192se.sys [2010-4-26 1103904]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2011-4-26 2702848]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;C:\windows\System32\drivers\hitmanpro35.sys [2010-11-27 19528]
    S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2011-7-2 59392]
    S3 WDC_SAM;WD SCSI Pass Thru driver;C:\windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
    .
    =============== File Associations ===============
    .
    FileExt: .vbe: VBEFile=C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %*
    FileExt: .vbs: VBSFile=C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %*
    FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\Dreamweaver.exe","%1"
    FileExt: .jse: JSEFile=C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %*
    FileExt: .wsf: WSFFile=C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %*
    ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
    .
    =============== Created Last 30 ================
    .
    2013-01-15 09:58:55 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B4274087-B5B0-4DBA-A08B-9F6CB18E1B8E}\offreg.dll
    2013-01-15 09:12:03 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B4274087-B5B0-4DBA-A08B-9F6CB18E1B8E}\mpengine.dll
    2013-01-11 17:20:55 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
    2013-01-10 18:59:10 -------- d-----w- C:\Users\Miche\AppData\Roaming\Artisteer
    2013-01-10 18:58:10 -------- d-----w- C:\Users\Miche\AppData\Local\SkinSoft
    2013-01-10 18:56:27 -------- d-----w- C:\Program Files (x86)\Artisteer 3
    2013-01-09 14:11:03 -------- d-----w- C:\windows\PCHEALTH
    2013-01-09 08:56:15 750592 ----a-w- C:\windows\System32\win32spl.dll
    2013-01-09 08:56:14 492032 ----a-w- C:\windows\SysWow64\win32spl.dll
    2013-01-09 08:54:51 424448 ----a-w- C:\windows\System32\KernelBase.dll
    2013-01-07 12:24:16 -------- d-----w- C:\Program Files (x86)\Focusrite
    2013-01-07 12:21:12 22392 ----a-w- C:\windows\System32\ffusb2audio_coinst.dll
    2013-01-07 12:21:12 125304 ----a-w- C:\windows\System32\drivers\ffusb2audio.sys
    2013-01-07 12:21:11 -------- d-----w- C:\Program Files\Focusrite
    2013-01-03 17:06:09 -------- d-----w- C:\Program Files (x86)\ASIO4ALL v2
    2013-01-03 14:56:18 -------- d-----w- C:\Users\Miche\AppData\Roaming\Plogue
    2013-01-03 14:54:02 -------- d-----w- C:\Users\Miche\AppData\Roaming\Plogue Art et Technologie, Inc
    2013-01-03 12:37:06 -------- d-----w- C:\Program Files\Plogue
    2013-01-03 12:37:06 -------- d-----w- C:\Program Files\Common Files\VST2
    2013-01-03 12:14:57 -------- d-----w- C:\Program Files (x86)\Tonehammer
    2012-12-28 11:15:38 -------- d-----w- C:\Users\Miche\AppData\Local\112dB
    2012-12-27 16:20:02 -------- d-----w- C:\ProgramData\GraphPad Software
    2012-12-27 16:20:01 -------- d-----w- C:\Program Files (x86)\GraphPad
    2012-12-21 23:29:45 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
    2012-12-21 23:29:44 46080 ----a-w- C:\windows\System32\atmlib.dll
    2012-12-21 23:29:41 367616 ----a-w- C:\windows\System32\atmfd.dll
    2012-12-21 23:29:41 295424 ----a-w- C:\windows\SysWow64\atmfd.dll
    2012-12-19 12:48:17 15928 ----a-w- C:\windows\System32\drivers\COMFiltr.sys
    2012-12-19 12:47:25 82952 ----a-w- C:\windows\System32\drivers\dsaflt64.sys
    2012-12-19 12:47:25 78920 ----a-w- C:\windows\System32\drivers\idsflt64.sys
    2012-12-19 12:47:25 74760 ----a-w- C:\windows\System32\drivers\wnmflt64.sys
    2012-12-19 12:47:18 31752 ----a-w- C:\windows\System32\drivers\fnetm64.sys
    2012-12-19 12:47:18 170504 ----a-w- C:\windows\System32\drivers\NETTDI64.SYS
    2012-12-19 12:47:18 129096 ----a-w- C:\windows\System32\drivers\APPFLT64.SYS
    2012-12-19 12:47:12 30792 ----a-w- C:\windows\System32\drivers\pavboot64.sys
    2012-12-19 12:44:23 48136 ----a-w- C:\windows\System32\drivers\ShldFlt.sys
    2012-12-19 12:21:55 -------- d-----w- C:\Users\Miche\AppData\Roaming\SpeedyPC Software
    2012-12-19 12:21:55 -------- d-----w- C:\Users\Miche\AppData\Roaming\DriverCure
    2012-12-19 12:21:44 -------- d-----w- C:\ProgramData\SpeedyPC Software
    2012-12-19 11:40:22 2048 ----a-w- C:\windows\SysWow64\tzres.dll
    2012-12-19 11:40:22 2048 ----a-w- C:\windows\System32\tzres.dll
    2012-12-18 16:46:49 -------- d-----w- C:\Program Files (x86)\Indiginus Acoustic Guitar
    2012-12-18 15:24:52 -------- d-----w- C:\Program Files (x86)\Ilya Efimov Acoustic Guitar Strum
    .
    ==================== Find3M ====================
    .
    2013-01-08 22:21:51 74248 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-01-08 22:21:51 697864 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
    2012-12-07 13:20:16 441856 ----a-w- C:\windows\System32\Wpc.dll
    2012-12-07 13:15:31 2746368 ----a-w- C:\windows\System32\gameux.dll
    2012-12-07 12:26:17 308736 ----a-w- C:\windows\SysWow64\Wpc.dll
    2012-12-07 12:20:43 2576384 ----a-w- C:\windows\SysWow64\gameux.dll
    2012-12-07 11:20:04 30720 ----a-w- C:\windows\System32\usk.rs
    2012-12-07 11:20:03 43520 ----a-w- C:\windows\System32\csrr.rs
    2012-12-07 11:20:03 23552 ----a-w- C:\windows\System32\oflc.rs
    2012-12-07 11:20:01 45568 ----a-w- C:\windows\System32\oflc-nz.rs
    2012-12-07 11:20:01 44544 ----a-w- C:\windows\System32\pegibbfc.rs
    2012-12-07 11:20:01 20480 ----a-w- C:\windows\System32\pegi-fi.rs
    2012-12-07 11:20:00 20480 ----a-w- C:\windows\System32\pegi-pt.rs
    2012-12-07 11:19:59 20480 ----a-w- C:\windows\System32\pegi.rs
    2012-12-07 11:19:58 46592 ----a-w- C:\windows\System32\fpb.rs
    2012-12-07 11:19:57 40960 ----a-w- C:\windows\System32\cob-au.rs
    2012-12-07 11:19:57 21504 ----a-w- C:\windows\System32\grb.rs
    2012-12-07 11:19:57 15360 ----a-w- C:\windows\System32\djctq.rs
    2012-12-07 11:19:56 55296 ----a-w- C:\windows\System32\cero.rs
    2012-12-07 11:19:55 51712 ----a-w- C:\windows\System32\esrb.rs
    2012-11-30 05:45:35 362496 ----a-w- C:\windows\System32\wow64win.dll
    2012-11-30 05:45:35 243200 ----a-w- C:\windows\System32\wow64.dll
    2012-11-30 05:45:35 13312 ----a-w- C:\windows\System32\wow64cpu.dll
    2012-11-30 05:45:14 215040 ----a-w- C:\windows\System32\winsrv.dll
    2012-11-30 05:43:12 16384 ----a-w- C:\windows\System32\ntvdm64.dll
    2012-11-30 04:54:00 5120 ----a-w- C:\windows\SysWow64\wow32.dll
    2012-11-30 04:53:59 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll
    2012-11-30 03:23:48 338432 ----a-w- C:\windows\System32\conhost.exe
    2012-11-30 02:44:06 25600 ----a-w- C:\windows\SysWow64\setup16.exe
    2012-11-30 02:44:04 7680 ----a-w- C:\windows\SysWow64\instnm.exe
    2012-11-30 02:44:04 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
    2012-11-30 02:44:03 2048 ----a-w- C:\windows\SysWow64\user.exe
    2012-11-30 02:38:59 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 02:38:59 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 02:38:59 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 02:38:59 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-11-23 03:26:31 3149824 ----a-w- C:\windows\System32\win32k.sys
    2012-11-23 03:13:57 68608 ----a-w- C:\windows\System32\taskhost.exe
    2012-11-22 05:44:23 800768 ----a-w- C:\windows\System32\usp10.dll
    2012-11-22 04:45:03 626688 ----a-w- C:\windows\SysWow64\usp10.dll
    2012-11-20 05:48:49 307200 ----a-w- C:\windows\System32\ncrypt.dll
    2012-11-20 04:51:09 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll
    2012-11-12 12:28:37 1638912 ----a-w- C:\windows\System32\mshtml.tlb
    2012-11-12 11:52:18 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
    2012-11-08 11:29:12 1402312 ----a-w- C:\windows\SysWow64\msxml4.dll
    2012-11-07 11:06:01 120200 ------w- C:\windows\SysWow64\DLLDEV32i.dll
    2012-11-02 05:59:11 478208 ----a-w- C:\windows\System32\dpnet.dll
    2012-11-02 05:11:31 376832 ----a-w- C:\windows\SysWow64\dpnet.dll
    2012-11-01 05:43:42 2002432 ----a-w- C:\windows\System32\msxml6.dll
    2012-11-01 05:43:42 1882624 ----a-w- C:\windows\System32\msxml3.dll
    2012-11-01 04:47:54 1389568 ----a-w- C:\windows\SysWow64\msxml6.dll
    2012-11-01 04:47:54 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
    2012-10-30 22:51:55 984144 ----a-w- C:\windows\System32\drivers\aswSnx.sys
    2012-10-30 22:51:55 71600 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
    2012-10-30 22:51:07 41224 ----a-w- C:\windows\avastSS.scr
    2012-10-27 06:26:55 981504 ----a-w- C:\windows\SysWow64\wininet.dll
    2012-10-27 05:51:21 1188864 ----a-w- C:\windows\System32\wininet.dll
    .
    ============= FINISH: 19:34:18.18 ===============











    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 17/12/2009 12:28:53 PM
    System Uptime: 15/01/2013 6:17:19 PM (1 hours ago)
    .
    Motherboard: TOSHIBA | | KSWAA
    Processor: Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz | U2E1 | 2200/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 434 GiB total, 40.513 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP594: 11/12/2012 8:32:05 PM - Installed Trivial Pursuit Unhinged
    RP595: 12/12/2012 3:29:58 PM - before plogue
    RP596: 13/12/2012 9:57:28 AM - Windows Update
    RP597: 14/12/2012 9:13:06 AM - Windows Update
    RP598: 18/12/2012 10:03:01 AM - Windows Update
    RP599: 19/12/2012 11:33:58 AM - Windows Update
    RP600: 19/12/2012 11:56:02 AM - Restore Operation
    RP601: 19/12/2012 2:31:29 PM - Installed System Requirements Lab Detection
    RP602: 20/12/2012 9:30:59 AM - Windows Update
    RP603: 21/12/2012 11:29:15 PM - Windows Update
    RP604: 25/12/2012 9:23:38 AM - Windows Update
    RP605: 28/12/2012 9:35:06 AM - Before Optimization
    RP606: 28/12/2012 10:04:30 AM - Removed simplitec simplicheck
    RP607: 28/12/2012 10:49:50 AM - Removed O2 Broadband Assistant
    RP608: 01/01/2013 11:26:07 AM - Windows Update
    RP609: 03/01/2013 5:04:58 PM - before ASIO4ALL
    RP610: 07/01/2013 12:21:41 PM - Device Driver Package Install: Focusrite Sound, video and game controllers
    RP611: 08/01/2013 8:38:00 AM - Windows Update
    RP612: 09/01/2013 1:57:40 PM - Windows Update
    RP613: 10/01/2013 6:53:35 PM - before artisteer
    RP614: 11/01/2013 4:46:45 PM - before dreamweaver
    RP615: 15/01/2013 9:09:45 AM - Windows Update
    RP616: 15/01/2013 9:20:41 AM - Windows Update
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 127.0.0.1 ads.mcafee.com
    Hosts: 127.0.0.1 analytics.microsoft.com
    Hosts: 127.0.0.1 metrics.bitdefender.com
    Hosts: 127.0.0.1 metrics.mcafee.com
    Hosts: 127.0.0.1 om.symantec.com
    Hosts: 127.0.0.1 ads.bleepingcomputer.com
    Hosts: 127.0.0.1 wdcs.trendmicro.com
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Acrobat.com
    Add or Remove Adobe Creative Suite 3 Design Standard
    Adobe Acrobat 8 Professional
    Adobe Acrobat 8.3.1 - CPSID_83708
    Adobe Acrobat 8.3.1 Professional
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Creative Suite 3 Design Standard
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Fonts All
    Adobe Help Manager
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe Media Player
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader X (10.1.1)
    Adobe Setup
    Adobe Shockwave Player 11.6
    Adobe SING CS3
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WAS CS3
    Adobe Widget Browser
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    AHV content for Acrobat and Flash
    Apple Application Support
    Apple Software Update
    ARIA Engine v1.6.0.2
    Artisteer 3
    ASIO4ALL
    avast! Free Antivirus
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MOV Decoder
    Canon MOV Encoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC 8
    Canon Utilities Digital Photo Professional 3.7
    Canon Utilities MyCamera
    Canon Utilities PhotoStitch
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CCleaner
    CleanUp!
    Compatibility Pack for the 2007 Office system
    Direct DiscRecorder
    DirectX Media Runtime 5.1
    DivX Setup
    DVD MovieFactory for TOSHIBA
    FFCoder 1.3.0.3
    FileHippo.com Update Checker
    Firebird SQL Server - MAGIX Edition
    Focusrite USB 2.0 Audio Driver 2.4
    Futuremark SystemInfo
    Google Chrome
    Google Earth Plug-in
    Google Toolbar for Internet Explorer
    Google Update Helper
    GraphPad Prism 6 (Trial)
    Haali Media Splitter
    HiJackThis
    Hitman Pro 3.5
    ImageJ 1.45s
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    IZArc 4.1
    Java Auto Updater
    Java(TM) 6 Update 37
    Java(TM) 7 Update 1 (64-bit)
    LSI V92 MOH Application
    MAGIX PhotoStory on DVD 2013 Deluxe
    MAGIX Speed burnR (MSI)
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Works
    Microsoft_VC100_CRT_SP1_x64
    Microsoft_VC100_CRT_SP1_x86
    Mozilla Firefox 18.0 (x86 en-US)
    Mozilla Maintenance Service
    MSVC80_x64
    MSVC80_x64_v2
    MSVC80_x86
    MSVC80_x86_v2
    MSVC90_x64
    MSVC90_x86
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 and SOAP Toolkit 3.0
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB2721691)
    MSXML 4.0 SP3 Parser (KB2758694)
    Nokia Connectivity Cable Driver
    Nokia PC Suite
    Nokia Suite
    O2InstV3Win7UpdateV1
    Panda Internet Security 2012
    Panda Secure Vault 5
    PC Connectivity Solution
    PDF-Viewer
    PDF Settings
    PlayReady PC Runtime amd64
    PokerStars
    QuickTime
    Realtek 8136 8168 8169 Ethernet Driver
    Realtek USB 2.0 Card Reader
    Realtek WLAN Driver
    Scarlett Plug-in Suite 1.2.3
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
    Sibelius Scorch (ActiveX Only)
    Sibelius Scorch (Firefox, Opera, Netscape only)
    Skype Click to Call
    Skype™ 6.0
    SopCast 3.5.0
    SpywareBlaster 4.6
    swMSM
    Synaptics Pointing Device Driver
    System Requirements Lab CYRI
    System Requirements Lab Detection
    System Requirements Lab for Intel
    TOSHIBA Assist
    TOSHIBA Bulletin Board
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA eco Utility
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Flash Cards Support Utility
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    TOSHIBA Internal Modem Region Select Utility
    TOSHIBA PC Health Monitor
    TOSHIBA Recovery Media Creator
    TOSHIBA ReelTime
    TOSHIBA SD Memory Utilities
    TOSHIBA Service Station
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    Trilogy
    Trivial Pursuit Unhinged
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Utility Common Driver
    VC80CRTRedist - 8.0.50727.6195
    VideoPad Video Editor
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 2.0.3
    WildTangent Games
    WinDirStat 1.1.2
    Windows Driver Package - Focusrite USB 2.0 Audio Driver (09/10/2012 2.4.128.0)
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    Windows Driver Package - Nokia Modem (10/05/2009 4.2)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    15/01/2013 6:17:55 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xffffffffc00000a1, 0xfffff800032bcb80, 0xfffff88002d814f0, 0xfffff88002d81590). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 011513-32401-01.
    12/01/2013 9:57:25 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    12/01/2013 9:57:25 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
    09/01/2013 2:24:34 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    08/01/2013 5:46:28 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000001 (0x0000000074c22e09, 0x0000000000000000, 0x000000000000fffe, 0xfffff8800a521c60). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 010813-27658-01.
    .
    ==== End Of File ===========================
     
  2. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    GMER 2.0.18444 - http://www.gmer.net
    Rootkit scan 2013-01-15 20:01:55
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465.76GB
    Running: 1j959lg3.exe; Driver: C:\Users\Miche\AppData\Local\Temp\kwldykog.sys


    ---- Kernel code sections - GMER 2.0 ----

    .text C:\windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004428d64 12 bytes {MOV RAX, 0xfffffa80060462a0; JMP RAX}

    ---- User code sections - GMER 2.0 ----

    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100120440
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100120430
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100120450
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff8846ee90}
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001203b0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100120320
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000100120380
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001001202e0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100120410
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001001202d0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100120310
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100120390
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001001203c0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100120230
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff8846e890}
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100120460
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100120370
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001001202f0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100120350
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100120290
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001001202b0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001001203a0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100120330
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff8846e590}
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001001203e0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100120240
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 00000001001201e0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100120250
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff8846e090}
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100120470
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100120480
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100120300
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100120360
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001001202a0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001001202c0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100120340
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100120420
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100120260
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100120270
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 00000001001203d0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0xffffffff8846db90}
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001001201f0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100120210
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100120200
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001001203f0
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100120400
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100120220
    .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100120280
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\wininit.exe[524] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\wininit.exe[524] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100120440
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100120430
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100120450
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff8846ee90}
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001203b0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100120320
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000100120380
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001001202e0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100120410
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001001202d0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100120310
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100120390
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001001203c0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100120230
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff8846e890}
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100120460
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100120370
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001001202f0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100120350
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100120290
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001001202b0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001001203a0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100120330
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff8846e590}
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001001203e0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100120240
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 00000001001201e0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100120250
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff8846e090}
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100120470
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100120480
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100120300
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100120360
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001001202a0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001001202c0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100120340
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100120420
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100120260
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100120270
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 00000001001203d0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0xffffffff8846db90}
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001001201f0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100120210
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100120200
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001001203f0
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100120400
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100120220
    .text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100120280
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\services.exe[580] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\winlogon.exe[624] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\winlogon.exe[624] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\lsass.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077cb1370 5 bytes JMP 0000000077e20bf8
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077cb1390 5 bytes JMP 0000000077e20e68
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100070440
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077cb1400 5 bytes JMP 0000000077e10ac0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100070430
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077cb1440 5 bytes JMP 0000000077e20238
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077cb1480 5 bytes JMP 0000000077e204a8
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077cb14e0 5 bytes JMP 0000000077e10bf8
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077cb1580 5 bytes JMP 0000000077e20d30
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100070450
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff883bee90}
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001000703b0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000077cb1630 5 bytes JMP 0000000077e20100
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077cb1640 5 bytes JMP 0000000077e20ac0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100070320
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e20fa0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077cb16d0 5 bytes JMP 0000000077e10fa0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001000702e0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100070410
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001000702d0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100070310
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100070390
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001000703c0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077cb1860 5 bytes JMP 0000000077e20850
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077cb1910 5 bytes JMP 0000000077e205e0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100070230
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff883be890}
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100070460
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100070370
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001000702f0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100070350
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100070290
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001000702b0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001000703a0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100070330
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff883be590}
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001000703e0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100070240
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077cb1e60 5 bytes JMP 0000000077e20988
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077cb1e70 5 bytes JMP 0000000077e10d30
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077cb1ea0 5 bytes JMP 0000000077e10e68
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e30238
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100070250
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff883be090}
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100070470
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100070480
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100070300
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100070360
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001000702a0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001000702c0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100070340
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000077cb2540 5 bytes JMP 0000000077e20370
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100070420
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100070260
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100070270
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 5 bytes JMP 0000000077e30100
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001000701f0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100070210
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100070200
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001000703f0
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100070400
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100070220
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077cb2b90 5 bytes JMP 0000000077e20718
    .text C:\windows\system32\lsm.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100070280
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!MapViewOfFile 0000000077a4e390 5 bytes JMP 0000000077e104a8
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!CreateFileMappingA 0000000077a4ead0 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!CreateFileMappingW 0000000077a4f9f0 5 bytes JMP 0000000077e10718
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!CopyFileExW 0000000077a523d0 5 bytes JMP 0000000077e105e0
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!MapViewOfFileEx 0000000077a63140 5 bytes JMP 0000000077e10238
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!TerminateProcess + 1 0000000077a8bca1 4 bytes {JMP 0x384460}
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!CreateRemoteThread 0000000077a8c510 5 bytes JMP 0000000077e10850
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\lsm.exe[640] C:\windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077acf6c0 5 bytes JMP 0000000077e10988
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\svchost.exe[752] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\svchost.exe[752] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\svchost.exe[840] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\svchost.exe[840] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\svchost.exe[896] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\svchost.exe[896] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe[1012] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\System32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\System32\svchost.exe[472] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\System32\svchost.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\System32\svchost.exe[544] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\svchost.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\svchost.exe[520] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe[1364] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\svchost.exe[1156] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\svchost.exe[1864] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 0000000077e103b0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\System32\spoolsv.exe[1148] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 0000000100231014
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 0000000100230804
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 0000000100230a08
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 0000000100230c0c
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 0000000100230e10
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001002301f8
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001002303fc
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 0000000100230600
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001002401f8
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002403fc
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100240804
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 0000000100240600
    .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[452] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100240a08
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001001e075c
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001001e03a4
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001001e0b14
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001001e0ecc
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001e163c
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001001e1284
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\taskeng.exe[2100] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003c075c
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003c03a4
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100060440
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100060430
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003c0b14
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003c0ecc
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100060450
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff883aee90}
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003c163c
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100060320
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000100060380
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001000602e0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100060410
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001000602d0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100060310
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100060390
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003c1284
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001000603c0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100060230
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff883ae890}
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100060460
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100060370
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001000602f0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100060350
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100060290
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001000602b0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001000603a0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100060330
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff883ae590}
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001000603e0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100060240
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 00000001000601e0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100060250
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff883ae090}
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100060470
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100060480
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100060300
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100060360
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001000602a0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001000602c0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100060340
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100060420
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100060260
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100060270
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 00000001000603d0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0xffffffff883adb90}
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001000601f0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100060210
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100060200
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001000603f0
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100060400
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100060220
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100060280
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\taskhost.exe[2128] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001001d075c
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001001d03a4
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077cb1370 5 bytes JMP 0000000077e40bf8
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077cb1390 5 bytes JMP 0000000077e40e68
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077cb1400 5 bytes JMP 0000000077e30ac0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077cb1440 5 bytes JMP 0000000077e40238
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077cb1480 5 bytes JMP 0000000077e404a8
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001001d0b14
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077cb14e0 5 bytes JMP 0000000077e30bf8
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001001d0ecc
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077cb1580 5 bytes JMP 0000000077e40d30
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001d163c
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000077cb1630 5 bytes JMP 0000000077e40100
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077cb1640 5 bytes JMP 0000000077e40ac0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e40fa0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077cb16d0 5 bytes JMP 0000000077e30fa0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001001d1284
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077cb1860 5 bytes JMP 0000000077e40850
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077cb1910 5 bytes JMP 0000000077e405e0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077cb1e60 5 bytes JMP 0000000077e40988
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077cb1e70 5 bytes JMP 0000000077e30d30
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077cb1ea0 5 bytes JMP 0000000077e30e68
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e50238
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000077cb2540 5 bytes JMP 0000000077e40370
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 5 bytes JMP 0000000077e50100
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077cb2b90 5 bytes JMP 0000000077e40718
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!MapViewOfFile 0000000077a4e390 5 bytes JMP 0000000077e304a8
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!CreateFileMappingA 0000000077a4ead0 5 bytes JMP 0000000077e30370
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!CreateFileMappingW 0000000077a4f9f0 5 bytes JMP 0000000077e30718
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!CopyFileExW 0000000077a523d0 5 bytes JMP 0000000077e305e0
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!MapViewOfFileEx 0000000077a63140 5 bytes JMP 0000000077e30238
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!TerminateProcess + 1 0000000077a8bca1 4 bytes {JMP 0x3a4460}
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!CreateRemoteThread 0000000077a8c510 5 bytes JMP 0000000077e30850
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000077acf6c0 5 bytes JMP 0000000077e30988
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\Dwm.exe[2072] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010038075c
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003803a4
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077cb1370 5 bytes JMP 0000000077e20bf8
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077cb1390 5 bytes JMP 0000000077e20e68
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100070440
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077cb1400 5 bytes JMP 0000000077e10ac0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100070430
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077cb1440 5 bytes JMP 0000000077e20238
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077cb1480 5 bytes JMP 0000000077e204a8
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100380b14
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077cb14e0 5 bytes JMP 0000000077e10bf8
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100380ecc
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077cb1580 5 bytes JMP 0000000077e20d30
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100070450
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff883bee90}
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010038163c
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000077cb1630 5 bytes JMP 0000000077e20100
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077cb1640 5 bytes JMP 0000000077e20ac0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100070320
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e20fa0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077cb16d0 5 bytes JMP 0000000077e10fa0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001000702e0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100070410
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001000702d0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100070310
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100070390
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100381284
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001000703c0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077cb1860 5 bytes JMP 0000000077e20850
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077cb1910 5 bytes JMP 0000000077e205e0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100070230
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff883be890}
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100070460
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100070370
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001000702f0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100070350
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100070290
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001000702b0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001000703a0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100070330
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff883be590}
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001000703e0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100070240
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077cb1e60 5 bytes JMP 0000000077e20988
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077cb1e70 5 bytes JMP 0000000077e10d30
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077cb1ea0 5 bytes JMP 0000000077e10e68
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e30238
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100070250
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff883be090}
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100070470
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100070480
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100070300
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100070360
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001000702a0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001000702c0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100070340
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000077cb2540 5 bytes JMP 0000000077e20370
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100070420
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100070260
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100070270
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 5 bytes JMP 0000000077e30100
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001000701f0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100070210
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100070200
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001000703f0
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100070400
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100070220
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077cb2b90 5 bytes JMP 0000000077e20718
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100070280
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!MapViewOfFile 0000000077a4e390 5 bytes JMP 0000000077e104a8
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!CreateFileMappingA 0000000077a4ead0 5 bytes JMP 0000000077e10370
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!CreateFileMappingW 0000000077a4f9f0 5 bytes JMP 0000000077e10718
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!CopyFileExW 0000000077a523d0 5 bytes JMP 0000000077e105e0
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!MapViewOfFileEx 0000000077a63140 5 bytes JMP 0000000077e10238
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!TerminateProcess + 1 0000000077a8bca1 4 bytes {JMP 0x384460}
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!CreateRemoteThread 0000000077a8c510 5 bytes JMP 0000000077e10850
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000077acf6c0 5 bytes JMP 0000000077e10988
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\Explorer.EXE[2704] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\ole32.dll!CLSIDFromProgID 000007fefe299980 5 bytes JMP 000007feff8a04a8
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefe29a4c4 5 bytes JMP 000007feff8a0370
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!WSASend 00000000048d13b0 5 bytes JMP 0000000006600100
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!closesocket 00000000048d18e0 5 bytes JMP 0000000006600370
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!WSARecv 00000000048d2200 5 bytes JMP 0000000077e40e68
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!connect 00000000048d45c0 5 bytes JMP 0000000077e40718
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!send 00000000048d8000 5 bytes JMP 0000000077e40ac0
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!sendto 00000000048dd7f0 5 bytes JMP 0000000077e40bf8
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!recv 00000000048ddf40 5 bytes JMP 0000000077e40850
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!recvfrom 00000000048deb90 5 bytes JMP 0000000077e40988
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!WSASendTo 00000000048ded50 5 bytes JMP 0000000006600238
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!WSAConnect 00000000048fe0f0 5 bytes JMP 0000000077e40d30
    .text C:\windows\Explorer.EXE[2704] C:\windows\system32\WS2_32.dll!WSARecvFrom 00000000048fe6c0 5 bytes JMP 0000000077e40fa0
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe[2784] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\windows\system32\svchost.exe[2156] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\svchost.exe[2156] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\TODDSrv.exe[464] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002e075c
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002e03a4
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002e0b14
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002e0ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002e163c
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
     
  3. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002e1284
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002e075c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002e03a4
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002e0b14
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002e0ecc
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002e163c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002e1284
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001004b075c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001004b03a4
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001004b0b14
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001004b0ecc
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001004b163c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001004b1284
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010030075c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003003a4
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100300b14
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100300ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010030163c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100301284
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003e075c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003e03a4
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003e0b14
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003e0ecc
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003e163c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003e1284
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010063075c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001006303a4
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100630b14
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100630ecc
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010063163c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100631284
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003c075c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003c03a4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003c0b14
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003c0ecc
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003c163c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003c1284
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001001e075c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001001e03a4
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077cb1370 5 bytes JMP 0000000077e40bf8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077cb1390 5 bytes JMP 0000000077e40e68
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077cb1400 5 bytes JMP 0000000077e30ac0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077cb1440 5 bytes JMP 0000000077e40238
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077cb1480 5 bytes JMP 0000000077e404a8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001001e0b14
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077cb14e0 5 bytes JMP 0000000077e30bf8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001001e0ecc
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077cb1580 5 bytes JMP 0000000077e40d30
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001e163c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000077cb1630 5 bytes JMP 0000000077e40100
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077cb1640 5 bytes JMP 0000000077e40ac0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e40fa0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077cb16d0 5 bytes JMP 0000000077e30fa0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001001e1284
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077cb1860 5 bytes JMP 0000000077e40850
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077cb1910 5 bytes JMP 0000000077e405e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077cb1e60 5 bytes JMP 0000000077e40988
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077cb1e70 5 bytes JMP 0000000077e30d30
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077cb1ea0 5 bytes JMP 0000000077e30e68
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e50238
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000077cb2540 5 bytes JMP 0000000077e40370
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 5 bytes JMP 0000000077e50100
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077cb2b90 5 bytes JMP 0000000077e40718
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!MapViewOfFile 0000000077a4e390 5 bytes JMP 0000000077e304a8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CreateFileMappingA 0000000077a4ead0 5 bytes JMP 0000000077e30370
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CreateFileMappingW 0000000077a4f9f0 5 bytes JMP 0000000077e30718
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CopyFileExW 0000000077a523d0 5 bytes JMP 0000000077e305e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!MapViewOfFileEx 0000000077a63140 5 bytes JMP 0000000077e30238
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!TerminateProcess + 1 0000000077a8bca1 4 bytes {JMP 0x3a4460}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CreateRemoteThread 0000000077a8c510 5 bytes JMP 0000000077e30850
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000077acf6c0 5 bytes JMP 0000000077e30988
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\ole32.dll!CLSIDFromProgID 000007fefe299980 5 bytes JMP 000007feff8a04a8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefe29a4c4 5 bytes JMP 000007feff8a0370
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003a075c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003a03a4
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003a0b14
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003a0ecc
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003a163c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003a1284
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002b075c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002b03a4
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100070440
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100070430
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002b0b14
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002b0ecc
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100070450
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff883bee90}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002b163c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100070320
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000100070380
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001000702e0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100070410
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001000702d0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100070310
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100070390
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002b1284
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001000703c0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100070230
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff883be890}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100070460
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100070370
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001000702f0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100070350
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100070290
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001000702b0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001000703a0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100070330
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff883be590}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001000703e0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100070240
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 00000001000701e0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100070250
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff883be090}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100070470
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100070480
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100070300
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100070360
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001000702a0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001000702c0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100070340
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100070420
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100070260
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100070270
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 00000001000703d0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0xffffffff883bdb90}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001000701f0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100070210
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100070200
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001000703f0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100070400
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100070220
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100070280
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 0000000100530b44
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 0000000100530d8c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 0000000100520b44
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 0000000100530224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 000000010053046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 0000000100520c68
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 0000000100530c68
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 0000000100530100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 0000000100530a20
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 0000000100530eb0
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 0000000100520fd4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 00000001005307d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 0000000100530590
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 00000001005308fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 0000000100520d8c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 0000000100520eb0
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 0000000100550100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 0000000100530348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 0000000100530fd4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 00000001005306b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 0000000100520590
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 00000001005207d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 0000000100520348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 000000010052046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 0000000100520a20
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 0000000100520224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 00000001005206b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 00000001005208fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 00000001003d0eb4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 00000001003d0c6c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 00000001003d0b48
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 00000001003d0594
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 00000001003d0900
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001003d06b8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 00000001003d0a24
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 00000001003d034c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 00000001003d0470
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 00000001003d0104
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 00000001003d0228
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001003d07dc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 00000001003d0d90
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 4 bytes JMP 00000001003d0fd8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 4 bytes JMP 0000000100520100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 00000001001f1014
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 00000001001f0804
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 00000001001f0a08
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 00000001001f0c0c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 00000001001f0e10
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001001f01f8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001001f03fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 00000001001f0600
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 0000000100550a20
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 00000001005606b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 00000001005508fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 0000000100560348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 0000000100560100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 0000000100550eb0
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002003fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 0000000100560224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 000000010056046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 00000001005507d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100560590
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001005506b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100550b44
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100550d8c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 0000000100550c68
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100200a08
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 00000001005607d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 0000000100550fd4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CLSIDFromProgIDEx 0000000076e30782 5 bytes JMP 0000000100550224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CLSIDFromProgID 0000000076e4503c 5 bytes JMP 0000000100550348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076e554ad 5 bytes JMP 000000010055046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e69d4e 5 bytes JMP 0000000100550590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 0000000100b30b44
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 0000000100b30d8c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 0000000100a90b44
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 0000000100b30224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 0000000100b3046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 0000000100a90c68
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 0000000100b30c68
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 0000000100b30100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 0000000100b30a20
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 0000000100b30eb0
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 0000000100a90fd4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 0000000100b307d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 0000000100b30590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 0000000100b308fc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 0000000100a90d8c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 0000000100a90eb0
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 0000000100b40100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 0000000100b30348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 0000000100b30fd4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 0000000100b306b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 0000000100a90590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 0000000100a907d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 0000000100a90348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 0000000100a9046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 0000000100a90a20
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 0000000100a90224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 0000000100a906b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 0000000100a908fc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 0000000100b40a20
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 0000000100b906b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 0000000100b408fc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 0000000100b90348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 0000000100b90100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 0000000100b40eb0
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 0000000100b90224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 0000000100b9046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 0000000100b407d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100b90590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 0000000100b406b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100b40b44
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100b40d8c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 0000000100b40c68
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 0000000100b907d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 0000000100b40fd4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 00000001006e0eb4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 00000001006e0c6c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 00000001006e0b48
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 00000001006e0594
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 00000001006e0900
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001006e06b8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 00000001006e0a24
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 00000001006e034c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 00000001006e0470
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 00000001006e0104
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 00000001006e0228
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001006e07dc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 00000001006e0d90
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 5 bytes JMP 00000001006e0fd8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 4 bytes JMP 0000000100a90100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CLSIDFromProgIDEx 0000000076e30782 5 bytes JMP 0000000100b40224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CLSIDFromProgID 0000000076e4503c 5 bytes JMP 0000000100b40348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076e554ad 5 bytes JMP 0000000100b4046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e69d4e 5 bytes JMP 0000000100b40590
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001001f075c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001001f03a4
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001001f0b14
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001001f0ecc
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001f163c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001001f1284
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001003d01f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001003d03fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001003d0804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003d0600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 00000001003d0a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 00000001003e1014
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 00000001003e0804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 00000001003e0a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 00000001003e0c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 00000001003e0e10
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001003e01f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001003e03fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 00000001003e0600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!sendto 00000000772734b5 5 bytes JMP 00000001012b0594
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!closesocket 0000000077273918 5 bytes JMP 00000001012b0c6c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSASend 0000000077274406 5 bytes JMP 00000001012b0a24
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!recv 0000000077276b0e 5 bytes JMP 00000001012b0228
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!connect 0000000077276bdd 5 bytes JMP 00000001012b0104
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!send 0000000077276f01 5 bytes JMP 00000001012b0470
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000077277089 5 bytes JMP 00000001012b07dc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!recvfrom 000000007727b6dc 5 bytes JMP 00000001012b034c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 000000007727cba6 5 bytes JMP 00000001012b0900
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSAConnect 000000007727cc3f 5 bytes JMP 00000001012b06b8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSASendTo 000000007728b30c 5 bytes JMP 00000001012b0b48
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!sendto 00000000772734b5 5 bytes JMP 00000001007d0594
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!closesocket 0000000077273918 5 bytes JMP 00000001007d0c6c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSASend 0000000077274406 5 bytes JMP 00000001007d0a24
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!recv 0000000077276b0e 5 bytes JMP 00000001007d0228
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!connect 0000000077276bdd 5 bytes JMP 00000001007d0104
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!send 0000000077276f01 5 bytes JMP 00000001007d0470
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000077277089 5 bytes JMP 00000001007d07dc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!recvfrom 000000007727b6dc 5 bytes JMP 00000001007d034c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 000000007727cba6 5 bytes JMP 00000001007d0900
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSAConnect 000000007727cc3f 5 bytes JMP 00000001007d06b8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSASendTo 000000007728b30c 5 bytes JMP 00000001007d0b48
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 00000001003e0b44
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 00000001003e0d8c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 00000001003d0b44
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 00000001003e0224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 00000001003e046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 00000001003d0c68
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 00000001003e0c68
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 00000001003e0100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 00000001003e0a20
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 00000001003e0eb0
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 00000001003d0fd4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 00000001003e07d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 00000001003e0590
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 00000001003e08fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 00000001003d0d8c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 00000001003d0eb0
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 00000001003f0100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 00000001003e0348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 00000001003e0fd4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 00000001003e06b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 00000001003d0590
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 00000001003d07d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 00000001003d0348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 00000001003d046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 00000001003d0a20
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 00000001003d0224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 00000001003d06b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 00000001003d08fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 00000001003f0a20
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 00000001006906b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 00000001003f08fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 0000000100690348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 0000000100690100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001003f0eb0
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002503fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 0000000100690224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 000000010069046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 00000001003f07d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100690590
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003f06b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001003f0b44
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001003f0d8c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 00000001003f0c68
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100250a08
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 00000001006907d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 00000001003f0fd4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 0000000100330eb4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 0000000100330c6c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 0000000100330b48
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 0000000100330594
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 0000000100330900
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001003306b8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 0000000100330a24
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 000000010033034c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 0000000100330470
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 0000000100330104
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 0000000100330228
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001003307dc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 0000000100330d90
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 4 bytes JMP 0000000100330fd8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 5 bytes JMP 00000001003d0100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 0000000100261014
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 0000000100260804
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 0000000100260a08
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 0000000100260c0c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 0000000100260e10
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001002601f8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001002603fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 0000000100260600
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CLSIDFromProgIDEx 0000000076e30782 5 bytes JMP 00000001003f0224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CLSIDFromProgID 0000000076e4503c 5 bytes JMP 00000001003f0348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076e554ad 5 bytes JMP 00000001003f046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e69d4e 5 bytes JMP 00000001003f0590
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002d075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002d03a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002d0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002d0ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002d163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002d1284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSASend 000007feff8913b0 5 bytes JMP 000007feff9f0ac0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!closesocket 000007feff8918e0 5 bytes JMP 000007feff9f0d30
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSARecv 000007feff892200 5 bytes JMP 000007feff9f0850
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!connect 000007feff8945c0 5 bytes JMP 000007feff9f0100
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!send 000007feff898000 5 bytes JMP 000007feff9f04a8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!sendto 000007feff89d7f0 5 bytes JMP 000007feff9f05e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!recv 000007feff89df40 5 bytes JMP 000007feff9f0238
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!recvfrom 000007feff89eb90 5 bytes JMP 000007feff9f0370
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff89ed50 5 bytes JMP 000007feff9f0bf8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff8be0f0 5 bytes JMP 000007feff9f0718
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff8be6c0 5 bytes JMP 000007feff9f0988
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010024075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002403a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100240b14
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100240ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010024163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100241284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSASend 000007feff8913b0 5 bytes JMP 000007feff9f0ac0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!closesocket 000007feff8918e0 5 bytes JMP 000007feff9f0d30
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSARecv 000007feff892200 5 bytes JMP 000007feff9f0850
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!connect 000007feff8945c0 5 bytes JMP 000007feff9f0100
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!send 000007feff898000 5 bytes JMP 000007feff9f04a8
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!sendto 000007feff89d7f0 5 bytes JMP 000007feff9f05e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!recv 000007feff89df40 5 bytes JMP 000007feff9f0238
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!recvfrom 000007feff89eb90 5 bytes JMP 000007feff9f0370
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff89ed50 5 bytes JMP 000007feff9f0bf8
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff8be0f0 5 bytes JMP 000007feff9f0718
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff8be6c0 5 bytes JMP 000007feff9f0988
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010040075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001004003a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100400b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100400ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010040163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100401284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSASend 000007feff8913b0 5 bytes JMP 000007feff9f0ac0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!closesocket 000007feff8918e0 5 bytes JMP 000007feff9f0d30
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSARecv 000007feff892200 5 bytes JMP 000007feff9f0850
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!connect 000007feff8945c0 5 bytes JMP 000007feff9f0100
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!send 000007feff898000 5 bytes JMP 000007feff9f04a8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!sendto 000007feff89d7f0 5 bytes JMP 000007feff9f05e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!recv 000007feff89df40 5 bytes JMP 000007feff9f0238
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!recvfrom 000007feff89eb90 5 bytes JMP 000007feff9f0370
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff89ed50 5 bytes JMP 000007feff9f0bf8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff8be0f0 5 bytes JMP 000007feff9f0718
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff8be6c0 5 bytes JMP 000007feff9f0988
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010042075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001004203a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100420b14
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100420ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010042163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100421284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 00000001003e0b44
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 00000001003e0d8c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 00000001003d0b44
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 00000001003e0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 00000001003e046c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 00000001003d0c68
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 00000001003e0c68
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 00000001003e0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 00000001003e0a20
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 00000001003e0eb0
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 00000001003d0fd4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 00000001003e07d8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 00000001003e0590
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 00000001003e08fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 00000001003d0d8c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 00000001003d0eb0
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 00000001003f0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 00000001003e0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 00000001003e0fd4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 00000001003e06b4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 00000001003d0590
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 00000001003d07d8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 00000001003d0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 00000001003d046c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 00000001003d0a20
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 00000001003d0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 00000001003d06b4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 00000001003d08fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 00000001003f0590
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 00000001005e0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 00000001003f046c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001003f0eb0
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 00000001003f0c68
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001003f0a20
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002603fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 00000001003f0d8c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 00000001003f0fd4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 00000001003f0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001005e0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003f0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001003f06b4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001003f08fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 00000001003f07d8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100260a08
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 00000001005e0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 00000001003f0b44
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 00000001002b0eb4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 00000001002b0c6c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 00000001002b0b48
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 00000001002b0594
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 00000001002b0900
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001002b06b8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 00000001002b0a24
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 00000001002b034c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 00000001002b0470
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 00000001002b0104
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 00000001002b0228
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001002b07dc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 00000001002b0d90
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 4 bytes JMP 00000001002b0fd8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 5 bytes JMP 00000001003d0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 0000000100271014
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 0000000100270804
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 0000000100270a08
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 0000000100270c0c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 0000000100270e10
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001002701f8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001002703fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 0000000100270600

    ---- Kernel IAT/EAT - GMER 2.0 ----

    IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800111f650] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800111f5dc] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010ea35c] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010ea224] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010eaa24] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010eaba0] \SystemRoot\System32\Drivers\spye.sys [unknown section]

    ---- Devices - GMER 2.0 ----

    Device \Driver\adhdg52c \Device\Scsi\adhdg52c1Port1Path0Target0Lun0
    Device \Driver\adhdg52c \Device\Scsi\adhdg52c1
    Device \FileSystem\Ntfs \Ntfs
    Device \Driver\NetBT \Device\NetBT_Tcpip_{72E69638-A317-4318-BCD0-4881191730EF} ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBFDO-7 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-5 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBFDO-3 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\cdrom \Device\CdRom0 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\cdrom \Device\CdRom1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-6 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-4 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-0 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-2 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBPDO-7 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-5 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBPDO-3 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\FtControl ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\VolMgrControl ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume2 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume3 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume4 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\NetBT \Device\NetBt_Wins_Export ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-6 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-4 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-2
    Device \Driver\usbuhci \Device\USBPDO-0
    Device \Driver\adhdg52c \Device\ScsiPort1
    Device \Driver\NetBT \Device\NetBT_Tcpip_{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}
    Device \Driver\Smb \Device\NetbiosSmb

    ---- Modules - GMER 2.0 ----

    Module \SystemRoot\System32\Drivers\spye.sys fffff880010bd000-fffff880011e3000 (1204224 bytes)
    Module \SystemRoot\System32\Drivers\adhdg52c.SYS fffff88004c39000-fffff88004c7e000 (282624 bytes)
    Module \??\C:\windows\system32\PavTPK.sys fffff8800247c000-fffff8800248b000 (61440 bytes)
    Module \SystemRoot\system32\DRIVERS\Prot6Flt.sys fffff88007740000-fffff8800774a000 (40960 bytes)

    ---- Threads - GMER 2.0 ----

    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:424] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:420] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:412] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:468] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:1628] 00000000501921b0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:1192] 000000002569d9c3
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3976] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3888] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:4024] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3696] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:4092] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3900] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:2736] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3104] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:5616] 0000000050257515
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:6932] 000000005024826a
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:1396] 0000000050066778
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4292] 00000000757529e1
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5476] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4312] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5008] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:1052] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4408] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5624] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5728] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4580] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5468] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5392] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5896] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4860] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5532] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5732] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5744] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5528] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5380] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5236] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5360] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:2672] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5108] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:2396] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:3412] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5156] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:3612] 0000000076e4d864
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4748] 0000000025921706
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5604] 0000000072a132fb
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4996] 00000000750e62ee
    Thread C:\windows\system32\svchost.exe [1156:2656] 000007fef78a6ed4
    Thread C:\windows\system32\svchost.exe [1156:5672] 000007fef78a6b8c
    Thread [2868:2484] 0000000075e17587
    Thread [2868:2496] 0000000077e92e25
    Thread [2868:2732] 000000003d3ebda0
    Thread [2868:1216] 000000000802a770
    Thread [2868:2616] 0000000008017bd0
    Thread [2868:2332] 00000000080166e0
    Thread [2868:1680] 0000000002b024c0
    Thread [2868:5168] 0000000077e93e45
    Thread [2868:6444] 0000000077e93e45
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe [2784:6836] 00000000750e62ee
    Thread [4320:1732] 000000005029d56d
    Thread [4320:5004] 0000000077e92e25
    Thread [4320:4176] 0000000073afa6e3
    Thread [4320:3280] 0000000073af5548
    Thread [4320:2824] 0000000072a132fb
    Thread [4320:6284] 0000000077e93e45
    Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [3680:5020] 0000000073f613b0
    Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [3680:3084] 0000000074e304d0
    Thread C:\windows\System32\svchost.exe [3648:1620] 000007fef7659688
    ---- Processes - GMER 2.0 ----

    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PskSvc.exe [968] 0000000077210000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012] 0000000077210000
    Library ? (*** suspicious ***) @ C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364] 0000000077210000
    Library ? (*** suspicious ***) @ C:\windows\system32\svchost.exe [1156] 000007fefb620000
    Library ? (*** suspicious ***) @ [2868] 0000000010d80000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe [2784] 0000000075ab0000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe [2212] 0000000077210000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [3840] 00000000004d0000
    Library ? (*** suspicious ***) @ [4320] 0000000000400000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe [4088] 0000000000410000
    Library ? (*** suspicious ***) @ C:\Program Files\AVAST Software\Avast\AvastUI.exe [3680] 0000000050260000
    Library ? (*** suspicious ***) @ C:\windows\System32\svchost.exe [3648] 000007fefff20000

    ---- Registry - GMER 2.0 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0x57 0x5E 0x5A 0x97 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xA6 0x55 0xEE 0x71 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0xBB 0x28 0x49 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0x57 0x5E 0x5A 0x97 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xA6 0x55 0xEE 0x71 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0xBB 0x28 0x49 0x67 ...

    ---- EOF - GMER 2.0 ----



    Sorry about the triple post, I couldn't figure out how to post it all in one post due to character limit.

    Thank you very much.

    miche
     
  4. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002e1284
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2208] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\svchost.exe[3748] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002e075c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002e03a4
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002e0b14
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002e0ecc
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002e163c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002e1284
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Windows\System32\hkcmd.exe[3440] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Windows\System32\igfxpers.exe[1176] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001004b075c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001004b03a4
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001004b0b14
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001004b0ecc
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001004b163c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001004b1284
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\igfxsrvc.exe[3096] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010030075c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003003a4
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100300b14
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100300ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010030163c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100301284
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3400] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003e075c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003e03a4
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003e0b14
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003e0ecc
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003e163c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003e1284
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3200] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010063075c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001006303a4
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100630b14
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100630ecc
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010063163c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100631284
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3608] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003c075c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003c03a4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003c0b14
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003c0ecc
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003c163c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003c1284
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2588] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001001e075c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001001e03a4
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077cb1370 5 bytes JMP 0000000077e40bf8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077cb1390 5 bytes JMP 0000000077e40e68
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtClose 0000000077cb1400 5 bytes JMP 0000000077e30ac0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077cb1440 5 bytes JMP 0000000077e40238
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077cb1480 5 bytes JMP 0000000077e404a8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001001e0b14
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077cb14e0 5 bytes JMP 0000000077e30bf8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001001e0ecc
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077cb1580 5 bytes JMP 0000000077e40d30
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001e163c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000077cb1630 5 bytes JMP 0000000077e40100
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077cb1640 5 bytes JMP 0000000077e40ac0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e40fa0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077cb16d0 5 bytes JMP 0000000077e30fa0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001001e1284
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077cb1860 5 bytes JMP 0000000077e40850
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077cb1910 5 bytes JMP 0000000077e405e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077cb1e60 5 bytes JMP 0000000077e40988
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077cb1e70 5 bytes JMP 0000000077e30d30
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077cb1ea0 5 bytes JMP 0000000077e30e68
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e50238
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000077cb2540 5 bytes JMP 0000000077e40370
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 5 bytes JMP 0000000077e50100
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077cb2b90 5 bytes JMP 0000000077e40718
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!MapViewOfFile 0000000077a4e390 5 bytes JMP 0000000077e304a8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CreateFileMappingA 0000000077a4ead0 5 bytes JMP 0000000077e30370
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CreateFileMappingW 0000000077a4f9f0 5 bytes JMP 0000000077e30718
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CopyFileExW 0000000077a523d0 5 bytes JMP 0000000077e305e0
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!MapViewOfFileEx 0000000077a63140 5 bytes JMP 0000000077e30238
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!TerminateProcess + 1 0000000077a8bca1 4 bytes {JMP 0x3a4460}
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!CreateRemoteThread 0000000077a8c510 5 bytes JMP 0000000077e30850
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000077acf6c0 5 bytes JMP 0000000077e30988
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\ole32.dll!CLSIDFromProgID 000007fefe299980 5 bytes JMP 000007feff8a04a8
    .text C:\windows\system32\SearchIndexer.exe[3008] C:\windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefe29a4c4 5 bytes JMP 000007feff8a0370
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\igfxext.exe[3516] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001003a075c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001003a03a4
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001003a0b14
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001003a0ecc
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001003a163c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001003a1284
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4756] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4240] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002b075c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002b03a4
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000100070440
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000100070430
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002b0b14
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002b0ecc
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000100070450
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0xffffffff883bee90}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002b163c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000100070320
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000100070380
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 00000001000702e0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000100070410
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 00000001000702d0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000100070310
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000100070390
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002b1284
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 00000001000703c0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000100070230
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0xffffffff883be890}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000100070460
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000100070370
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 00000001000702f0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000100070350
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000100070290
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 00000001000702b0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 00000001000703a0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000100070330
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0xffffffff883be590}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 00000001000703e0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000100070240
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 00000001000701e0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000100070250
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0xffffffff883be090}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000100070470
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000100070480
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000100070300
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000100070360
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 00000001000702a0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 00000001000702c0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000100070340
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000100070420
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000100070260
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000100070270
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 00000001000703d0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0xffffffff883bdb90}
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 00000001000701f0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000100070210
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000100070200
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 00000001000703f0
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000100070400
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000100070220
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000100070280
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\system32\svchost.exe[4380] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 0000000100530b44
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 0000000100530d8c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 0000000100520b44
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 0000000100530224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 000000010053046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 0000000100520c68
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 0000000100530c68
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 0000000100530100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 0000000100530a20
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 0000000100530eb0
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 0000000100520fd4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 00000001005307d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 0000000100530590
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 00000001005308fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 0000000100520d8c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 0000000100520eb0
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 0000000100550100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 0000000100530348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 0000000100530fd4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 00000001005306b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 0000000100520590
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 00000001005207d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 0000000100520348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 000000010052046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 0000000100520a20
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 0000000100520224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 00000001005206b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\KERNEL32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 00000001005208fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 00000001003d0eb4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 00000001003d0c6c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 00000001003d0b48
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 00000001003d0594
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 00000001003d0900
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001003d06b8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 00000001003d0a24
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 00000001003d034c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 00000001003d0470
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 00000001003d0104
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 00000001003d0228
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001003d07dc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 00000001003d0d90
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 4 bytes JMP 00000001003d0fd8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 4 bytes JMP 0000000100520100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 00000001001f1014
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 00000001001f0804
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 00000001001f0a08
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 00000001001f0c0c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 00000001001f0e10
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001001f01f8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001001f03fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 00000001001f0600
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 0000000100550a20
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 00000001005606b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 00000001005508fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 0000000100560348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 0000000100560100
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 0000000100550eb0
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002003fc
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 0000000100560224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 000000010056046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 00000001005507d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100560590
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001005506b4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100550b44
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100550d8c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 0000000100550c68
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100200a08
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 00000001005607d8
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 0000000100550fd4
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CLSIDFromProgIDEx 0000000076e30782 5 bytes JMP 0000000100550224
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CLSIDFromProgID 0000000076e4503c 5 bytes JMP 0000000100550348
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076e554ad 5 bytes JMP 000000010055046c
    .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4964] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e69d4e 5 bytes JMP 0000000100550590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 0000000100b30b44
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 0000000100b30d8c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 0000000100a90b44
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 0000000100b30224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 0000000100b3046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 0000000100a90c68
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 0000000100b30c68
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 0000000100b30100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 0000000100b30a20
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 0000000100b30eb0
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 0000000100a90fd4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 0000000100b307d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 0000000100b30590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 0000000100b308fc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 0000000100a90d8c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 0000000100a90eb0
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 0000000100b40100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 0000000100b30348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 0000000100b30fd4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 0000000100b306b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 0000000100a90590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 0000000100a907d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 0000000100a90348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 0000000100a9046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 0000000100a90a20
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 0000000100a90224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 0000000100a906b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\kernel32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 0000000100a908fc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 0000000100b40a20
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 0000000100b906b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 0000000100b408fc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 0000000100b90348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 0000000100b90100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 0000000100b40eb0
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 0000000100b90224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 0000000100b9046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 0000000100b407d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100b90590
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 0000000100b406b4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 0000000100b40b44
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 0000000100b40d8c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 0000000100b40c68
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 0000000100b907d8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 0000000100b40fd4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 00000001006e0eb4
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 00000001006e0c6c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 00000001006e0b48
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 00000001006e0594
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 00000001006e0900
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001006e06b8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 00000001006e0a24
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 00000001006e034c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 00000001006e0470
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 00000001006e0104
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 00000001006e0228
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001006e07dc
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 00000001006e0d90
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 5 bytes JMP 00000001006e0fd8
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 4 bytes JMP 0000000100a90100
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CLSIDFromProgIDEx 0000000076e30782 5 bytes JMP 0000000100b40224
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CLSIDFromProgID 0000000076e4503c 5 bytes JMP 0000000100b40348
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076e554ad 5 bytes JMP 0000000100b4046c
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3680] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e69d4e 5 bytes JMP 0000000100b40590
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001001f075c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001001f03a4
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001001f0b14
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001001f0ecc
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001001f163c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001001f1284
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\System32\svchost.exe[4112] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\LSI SoftModem\agr64svc.exe[3688] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe[3524] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001003d01f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001003d03fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001003d0804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003d0600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 00000001003d0a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 00000001003e1014
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 00000001003e0804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 00000001003e0a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 00000001003e0c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 00000001003e0e10
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001003e01f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001003e03fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 00000001003e0600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!sendto 00000000772734b5 5 bytes JMP 00000001012b0594
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!closesocket 0000000077273918 5 bytes JMP 00000001012b0c6c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSASend 0000000077274406 5 bytes JMP 00000001012b0a24
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!recv 0000000077276b0e 5 bytes JMP 00000001012b0228
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!connect 0000000077276bdd 5 bytes JMP 00000001012b0104
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!send 0000000077276f01 5 bytes JMP 00000001012b0470
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000077277089 5 bytes JMP 00000001012b07dc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!recvfrom 000000007727b6dc 5 bytes JMP 00000001012b034c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 000000007727cba6 5 bytes JMP 00000001012b0900
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSAConnect 000000007727cc3f 5 bytes JMP 00000001012b06b8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe[4132] C:\windows\syswow64\WS2_32.dll!WSASendTo 000000007728b30c 5 bytes JMP 00000001012b0b48
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!sendto 00000000772734b5 5 bytes JMP 00000001007d0594
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!closesocket 0000000077273918 5 bytes JMP 00000001007d0c6c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSASend 0000000077274406 5 bytes JMP 00000001007d0a24
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!recv 0000000077276b0e 5 bytes JMP 00000001007d0228
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!connect 0000000077276bdd 5 bytes JMP 00000001007d0104
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!send 0000000077276f01 5 bytes JMP 00000001007d0470
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000077277089 5 bytes JMP 00000001007d07dc
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!recvfrom 000000007727b6dc 5 bytes JMP 00000001007d034c
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 000000007727cba6 5 bytes JMP 00000001007d0900
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSAConnect 000000007727cc3f 5 bytes JMP 00000001007d06b8
    .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4544] C:\windows\syswow64\WS2_32.dll!WSASendTo 000000007728b30c 5 bytes JMP 00000001007d0b48
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 00000001003e0b44
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 00000001003e0d8c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 00000001003d0b44
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 00000001003e0224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 00000001003e046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 00000001003d0c68
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 00000001003e0c68
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 00000001003e0100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 00000001003e0a20
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 00000001003e0eb0
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 00000001003d0fd4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 00000001003e07d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 00000001003e0590
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 00000001003e08fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 00000001003d0d8c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 00000001003d0eb0
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 00000001003f0100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 00000001003e0348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 00000001003e0fd4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 00000001003e06b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 00000001003d0590
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 00000001003d07d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 00000001003d0348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 00000001003d046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 00000001003d0a20
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 00000001003d0224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 00000001003d06b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\KERNEL32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 00000001003d08fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 00000001003f0a20
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 00000001006906b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 00000001003f08fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 0000000100690348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 0000000100690100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001003f0eb0
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002503fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 0000000100690224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 000000010069046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 00000001003f07d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 0000000100690590
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003f06b4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001003f0b44
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001003f0d8c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 00000001003f0c68
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100250a08
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 00000001006907d8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 00000001003f0fd4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 0000000100330eb4
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 0000000100330c6c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 0000000100330b48
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 0000000100330594
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 0000000100330900
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001003306b8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 0000000100330a24
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 000000010033034c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 0000000100330470
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 0000000100330104
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 0000000100330228
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001003307dc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 0000000100330d90
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 4 bytes JMP 0000000100330fd8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 5 bytes JMP 00000001003d0100
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 0000000100261014
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 0000000100260804
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 0000000100260a08
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 0000000100260c0c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 0000000100260e10
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001002601f8
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001002603fc
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 0000000100260600
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CLSIDFromProgIDEx 0000000076e30782 5 bytes JMP 00000001003f0224
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CLSIDFromProgID 0000000076e4503c 5 bytes JMP 00000001003f0348
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076e554ad 5 bytes JMP 00000001003f046c
    .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[1044] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e69d4e 5 bytes JMP 00000001003f0590
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\rselect\RSelSvc.exe[748] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\windows\System32\svchost.exe[3648] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 00000001002d075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002d03a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 00000001002d0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 00000001002d0ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 00000001002d163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 00000001002d1284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSASend 000007feff8913b0 5 bytes JMP 000007feff9f0ac0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!closesocket 000007feff8918e0 5 bytes JMP 000007feff9f0d30
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSARecv 000007feff892200 5 bytes JMP 000007feff9f0850
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!connect 000007feff8945c0 5 bytes JMP 000007feff9f0100
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!send 000007feff898000 5 bytes JMP 000007feff9f04a8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!sendto 000007feff89d7f0 5 bytes JMP 000007feff9f05e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!recv 000007feff89df40 5 bytes JMP 000007feff9f0238
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!recvfrom 000007feff89eb90 5 bytes JMP 000007feff9f0370
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff89ed50 5 bytes JMP 000007feff9f0bf8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff8be0f0 5 bytes JMP 000007feff9f0718
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[3792] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff8be6c0 5 bytes JMP 000007feff9f0988
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010024075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001002403a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100240b14
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100240ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010024163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100241284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSASend 000007feff8913b0 5 bytes JMP 000007feff9f0ac0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!closesocket 000007feff8918e0 5 bytes JMP 000007feff9f0d30
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSARecv 000007feff892200 5 bytes JMP 000007feff9f0850
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!connect 000007feff8945c0 5 bytes JMP 000007feff9f0100
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!send 000007feff898000 5 bytes JMP 000007feff9f04a8
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!sendto 000007feff89d7f0 5 bytes JMP 000007feff9f05e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!recv 000007feff89df40 5 bytes JMP 000007feff9f0238
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!recvfrom 000007feff89eb90 5 bytes JMP 000007feff9f0370
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff89ed50 5 bytes JMP 000007feff9f0bf8
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff8be0f0 5 bytes JMP 000007feff9f0718
    .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[3276] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff8be6c0 5 bytes JMP 000007feff9f0988
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010040075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001004003a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100400b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100400ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010040163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100401284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSASend 000007feff8913b0 5 bytes JMP 000007feff9f0ac0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!closesocket 000007feff8918e0 5 bytes JMP 000007feff9f0d30
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSARecv 000007feff892200 5 bytes JMP 000007feff9f0850
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!connect 000007feff8945c0 5 bytes JMP 000007feff9f0100
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!send 000007feff898000 5 bytes JMP 000007feff9f04a8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!sendto 000007feff89d7f0 5 bytes JMP 000007feff9f05e0
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!recv 000007feff89df40 5 bytes JMP 000007feff9f0238
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!recvfrom 000007feff89eb90 5 bytes JMP 000007feff9f0370
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff89ed50 5 bytes JMP 000007feff9f0bf8
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff8be0f0 5 bytes JMP 000007feff9f0718
    .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[2204] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff8be6c0 5 bytes JMP 000007feff9f0988
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077c83ae0 5 bytes JMP 000000010042075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077c87a90 5 bytes JMP 00000001004203a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077cb13c0 5 bytes JMP 0000000077e10440
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077cb1410 5 bytes JMP 0000000077e10430
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077cb1490 5 bytes JMP 0000000100420b14
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077cb14f0 5 bytes JMP 0000000100420ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077cb15c0 1 byte JMP 0000000077e10450
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077cb15c2 3 bytes {JMP 0x15ee90}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077cb15d0 5 bytes JMP 000000010042163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077cb1680 5 bytes JMP 0000000077e10320
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077cb16b0 5 bytes JMP 0000000077e10380
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077cb1710 5 bytes JMP 0000000077e102e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077cb1760 5 bytes JMP 0000000077e10410
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077cb1790 5 bytes JMP 0000000077e102d0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077cb17b0 5 bytes JMP 0000000077e10310
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077cb17f0 5 bytes JMP 0000000077e10390
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077cb1810 5 bytes JMP 0000000100421284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077cb1840 5 bytes JMP 0000000077e103c0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077cb19a0 1 byte JMP 0000000077e10230
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077cb19a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb1b60 5 bytes JMP 0000000077e10460
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077cb1b90 5 bytes JMP 0000000077e10370
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077cb1c70 5 bytes JMP 0000000077e102f0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077cb1c80 5 bytes JMP 0000000077e10350
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077cb1ce0 5 bytes JMP 0000000077e10290
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077cb1d70 5 bytes JMP 0000000077e102b0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077cb1d90 5 bytes JMP 0000000077e103a0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077cb1da0 1 byte JMP 0000000077e10330
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077cb1da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077cb1e10 5 bytes JMP 0000000077e103e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077cb1e40 5 bytes JMP 0000000077e10240
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077cb2100 5 bytes JMP 0000000077e101e0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077cb21c0 1 byte JMP 0000000077e10250
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077cb21c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077cb21f0 5 bytes JMP 0000000077e10470
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077cb2200 5 bytes JMP 0000000077e10480
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077cb2230 5 bytes JMP 0000000077e10300
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077cb2240 5 bytes JMP 0000000077e10360
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077cb22a0 5 bytes JMP 0000000077e102a0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077cb22f0 5 bytes JMP 0000000077e102c0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077cb2330 5 bytes JMP 0000000077e10340
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077cb2620 5 bytes JMP 0000000077e10420
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077cb2820 5 bytes JMP 0000000077e10260
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077cb2830 5 bytes JMP 0000000077e10270
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077cb2840 1 byte JMP 0000000077e103d0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077cb2842 3 bytes {JMP 0x15db90}
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077cb2a00 5 bytes JMP 0000000077e101f0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077cb2a10 5 bytes JMP 0000000077e10210
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077cb2a80 5 bytes JMP 0000000077e10200
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077cb2ae0 5 bytes JMP 0000000077e103f0
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077cb2af0 5 bytes JMP 0000000077e10400
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077cb2b00 5 bytes JMP 0000000077e10220
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077cb2be0 5 bytes JMP 0000000077e10280
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a9eecd 1 byte [62]
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c
    .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4248] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtReadFile 0000000077e5f8d0 5 bytes JMP 00000001003e0b44
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077e5f908 5 bytes JMP 00000001003e0d8c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077e5f9c0 5 bytes JMP 00000001003d0b44
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077e5fa20 5 bytes JMP 00000001003e0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e5fa88 5 bytes JMP 00000001003e046c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077e5faa0 5 bytes JMP 0000000100030600
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077e5fb20 5 bytes JMP 00000001003d0c68
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077e5fb38 5 bytes JMP 0000000100030804
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077e5fc18 5 bytes JMP 00000001003e0c68
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077e5fc90 5 bytes JMP 0000000100030c0c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077e5fd2c 5 bytes JMP 00000001003e0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077e5fd44 5 bytes JMP 00000001003e0a20
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e5fdf4 5 bytes JMP 00000001003e0eb0
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077e5fe24 5 bytes JMP 00000001003d0fd4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e60018 5 bytes JMP 0000000100030a08
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077e60094 5 bytes JMP 00000001003e07d8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077e601a4 5 bytes JMP 00000001003e0590
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077e609c4 5 bytes JMP 00000001003e08fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077e609dc 5 bytes JMP 00000001003d0d8c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077e60a24 5 bytes JMP 00000001003d0eb0
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077e60dd4 5 bytes JMP 00000001003f0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077e6145c 5 bytes JMP 00000001003e0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077e61900 5 bytes JMP 00000001003e0fd4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077e61e50 5 bytes JMP 00000001003e06b4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077e7c45a 5 bytes JMP 00000001000301f8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077e81217 5 bytes JMP 00000001000303fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!MapViewOfFile 0000000075c418f1 5 bytes JMP 00000001003d0590
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingW 0000000075c41909 5 bytes JMP 00000001003d07d8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!MapViewOfFileEx 0000000075c44c6b 5 bytes JMP 00000001003d0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateFileMappingA 0000000075c454ee 5 bytes JMP 00000001003d046c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 0000000075c59ab4 5 bytes JMP 00000001003d0a20
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!TerminateProcess 0000000075c5d7ea 5 bytes JMP 00000001003d0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CopyFileExW 0000000075c63b7a 5 bytes JMP 00000001003d06b4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c6a30a 1 byte [62]
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateRemoteThread 0000000075cc41db 5 bytes JMP 00000001003d08fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!TranslateMessage 0000000076c47809 5 bytes JMP 00000001003f0590
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!DispatchMessageW 0000000076c4787b 5 bytes JMP 00000001005e0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!DispatchMessageA 0000000076c47bbb 5 bytes JMP 00000001003f046c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076c4ee09 5 bytes JMP 00000001003f0eb0
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076c512a5 5 bytes JMP 00000001003f0c68
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!GetKeyState 0000000076c5291f 5 bytes JMP 00000001003f0a20
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076c53982 5 bytes JMP 00000001002603fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076c53baa 5 bytes JMP 00000001003f0d8c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!CreateAcceleratorTableW 0000000076c54e04 5 bytes JMP 00000001003f0fd4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!BeginDeferWindowPos 0000000076c563b5 5 bytes JMP 00000001003f0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c57603 5 bytes JMP 00000001005e0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c5835c 5 bytes JMP 00000001003f0224
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076c6eb96 5 bytes JMP 00000001003f06b4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!GetKeyboardState 0000000076c6ec68 5 bytes JMP 00000001003f08fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!AttachThreadInput 0000000076c6f188 5 bytes JMP 00000001003f07d8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076c6f52b 5 bytes JMP 0000000100260a08
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!SetClipboardData 0000000076c88e57 5 bytes JMP 00000001005e0348
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\USER32.dll!DdeConnect 0000000076c8eb7f 5 bytes JMP 00000001003f0b44
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!StartServiceW 0000000077437974 5 bytes JMP 00000001002b0eb4
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007743ca4c 5 bytes JMP 00000001002b0c6c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000077442bf0 5 bytes JMP 00000001002b0b48
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007744369c 5 bytes JMP 00000001002b0594
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 000000007745712c 5 bytes JMP 00000001002b0900
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ControlService 0000000077457144 5 bytes JMP 00000001002b06b8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!DeleteService 000000007745715c 5 bytes JMP 00000001002b0a24
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000774730c8 5 bytes JMP 00000001002b034c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000774730d8 5 bytes JMP 00000001002b0470
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000774730e8 5 bytes JMP 00000001002b0104
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000774730f8 5 bytes JMP 00000001002b0228
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000077473158 5 bytes JMP 00000001002b07dc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!StartServiceA 0000000077473543 5 bytes JMP 00000001002b0d90
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!LsaAddAccountRights 0000000077478819 4 bytes JMP 00000001002b0fd8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\syswow64\ADVAPI32.dll!LsaRemoveAccountRights 00000000774788b1 5 bytes JMP 00000001003d0100
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e15181 5 bytes JMP 0000000100271014
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e15254 5 bytes JMP 0000000100270804
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e153d5 5 bytes JMP 0000000100270a08
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e154c2 5 bytes JMP 0000000100270c0c
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e155e2 5 bytes JMP 0000000100270e10
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e1567c 5 bytes JMP 00000001002701f8
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e1589f 5 bytes JMP 00000001002703fc
    .text C:\Users\Miche\Desktop\1j959lg3.exe[6428] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075e15a22 5 bytes JMP 0000000100270600

    ---- Kernel IAT/EAT - GMER 2.0 ----

    IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800111f650] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800111f5dc] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010ea35c] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010ea224] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010eaa24] \SystemRoot\System32\Drivers\spye.sys [unknown section]
    IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010eaba0] \SystemRoot\System32\Drivers\spye.sys [unknown section]

    ---- Devices - GMER 2.0 ----

    Device \Driver\adhdg52c \Device\Scsi\adhdg52c1Port1Path0Target0Lun0
    Device \Driver\adhdg52c \Device\Scsi\adhdg52c1
    Device \FileSystem\Ntfs \Ntfs
    Device \Driver\NetBT \Device\NetBT_Tcpip_{72E69638-A317-4318-BCD0-4881191730EF} ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBFDO-7 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-5 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBFDO-3 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\cdrom \Device\CdRom0 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\cdrom \Device\CdRom1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-6 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-4 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-0 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-2 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBPDO-7 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-5 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbehci \Device\USBPDO-3 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume1 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\FtControl ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\VolMgrControl ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume2 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume3 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\volmgr \Device\HarddiskVolume4 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\NetBT \Device\NetBt_Wins_Export ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-6 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBPDO-4 ws\system32\DRIVERS\kbdclass.sys
    Device \Driver\usbuhci \Device\USBFDO-2
    Device \Driver\usbuhci \Device\USBPDO-0
    Device \Driver\adhdg52c \Device\ScsiPort1
    Device \Driver\NetBT \Device\NetBT_Tcpip_{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}
    Device \Driver\Smb \Device\NetbiosSmb

    ---- Modules - GMER 2.0 ----

    Module \SystemRoot\System32\Drivers\spye.sys fffff880010bd000-fffff880011e3000 (1204224 bytes)
    Module \SystemRoot\System32\Drivers\adhdg52c.SYS fffff88004c39000-fffff88004c7e000 (282624 bytes)
    Module \??\C:\windows\system32\PavTPK.sys fffff8800247c000-fffff8800248b000 (61440 bytes)
    Module \SystemRoot\system32\DRIVERS\Prot6Flt.sys fffff88007740000-fffff8800774a000 (40960 bytes)

    ---- Threads - GMER 2.0 ----

    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:424] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:420] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:412] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:468] 00000000502e1fb0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:1628] 00000000501921b0
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:1192] 000000002569d9c3
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3976] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3888] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:4024] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3696] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:4092] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3900] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:2736] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:3104] 0000000050121230
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:5616] 0000000050257515
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012:6932] 000000005024826a
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:1396] 0000000050066778
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4292] 00000000757529e1
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5476] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4312] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5008] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:1052] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4408] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5624] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5728] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4580] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5468] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5392] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5896] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4860] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5532] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5732] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5744] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5528] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5380] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5236] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5360] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:2672] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5108] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:2396] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:3412] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5156] 000000000c2feae8
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:3612] 0000000076e4d864
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4748] 0000000025921706
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:5604] 0000000072a132fb
    Thread C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364:4996] 00000000750e62ee
    Thread C:\windows\system32\svchost.exe [1156:2656] 000007fef78a6ed4
    Thread C:\windows\system32\svchost.exe [1156:5672] 000007fef78a6b8c
    Thread [2868:2484] 0000000075e17587
    Thread [2868:2496] 0000000077e92e25
    Thread [2868:2732] 000000003d3ebda0
    Thread [2868:1216] 000000000802a770
    Thread [2868:2616] 0000000008017bd0
    Thread [2868:2332] 00000000080166e0
    Thread [2868:1680] 0000000002b024c0
    Thread [2868:5168] 0000000077e93e45
    Thread [2868:6444] 0000000077e93e45
    Thread C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe [2784:6836] 00000000750e62ee
    Thread [4320:1732] 000000005029d56d
    Thread [4320:5004] 0000000077e92e25
    Thread [4320:4176] 0000000073afa6e3
    Thread [4320:3280] 0000000073af5548
    Thread [4320:2824] 0000000072a132fb
    Thread [4320:6284] 0000000077e93e45
    Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [3680:5020] 0000000073f613b0
    Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [3680:3084] 0000000074e304d0
    Thread C:\windows\System32\svchost.exe [3648:1620] 000007fef7659688
    ---- Processes - GMER 2.0 ----

    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PskSvc.exe [968] 0000000077210000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [1012] 0000000077210000
    Library ? (*** suspicious ***) @ C:\PROGRAM FILES (X86)\PANDA SECURITY\PANDA INTERNET SECURITY 2012\WebProxy.exe [1364] 0000000077210000
    Library ? (*** suspicious ***) @ C:\windows\system32\svchost.exe [1156] 000007fefb620000
    Library ? (*** suspicious ***) @ [2868] 0000000010d80000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe [2784] 0000000075ab0000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe [2212] 0000000077210000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [3840] 00000000004d0000
    Library ? (*** suspicious ***) @ [4320] 0000000000400000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe [4088] 0000000000410000
    Library ? (*** suspicious ***) @ C:\Program Files\AVAST Software\Avast\AvastUI.exe [3680] 0000000050260000
    Library ? (*** suspicious ***) @ C:\windows\System32\svchost.exe [3648] 000007fefff20000

    ---- Registry - GMER 2.0 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\[email protected] 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\[email protected] 0x57 0x5E 0x5A 0x97 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xA6 0x55 0xEE 0x71 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0xBB 0x28 0x49 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\[email protected] 0x57 0x5E 0x5A 0x97 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\[email protected] 0xA6 0x55 0xEE 0x71 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\[email protected] 0xBB 0x28 0x49 0x67 ...

    ---- EOF - GMER 2.0 ----


    Sorry about the triple post, I couldn't figure out how to fit it all under the character limit.

    Thank you very much.

    miche
     
  5. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    bump
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,382
    First Name:
    Kevin
    There are two security programs with Anti-virus components Panda and Avast, you must uninstall one of those. As Panda is a full suite with FW etc maybe best to uninstall AVAST....

    When that is complete re-boot. Then do the following:

    Download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

    • Please close all open programs and internet browsers.
    • Double click on Adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

    Next,

    Please download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

    • Quit all running programs
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    • Wait until Prescan has finished...
    • The following EULA will appear, please select accept

      [​IMG]
    • Ensure MBR scan, Check faked and AntiRootkit are checked
    • Select Scan

      [​IMG]
    • When the scan completes select Report, copy and paste that to your reply.

      [​IMG]
    • The log should be found in RKreport[?].txt on your Desktop
    • Exit/Close RogueKiller

    Post both logs...

    Kevin
     
  7. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    Thank you for your time Kevin.



    # AdwCleaner v2.106 - Logfile created 01/18/2013 at 16:59:13
    # Updated 17/01/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Miche - MICHE-TOSHIBA
    # Boot Mode : Normal
    # Running from : C:\Users\Miche\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Program Files (x86)\Mozilla Firefox\Plugins\npvsharetvplg.dll
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\fcmdSrch.xml
    File Deleted : C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\searchplugins\Askcom.xml
    Folder Deleted : C:\Program Files (x86)\StartSearch plugin
    Folder Deleted : C:\Program Files\Babylon
    Folder Deleted : C:\ProgramData\Ask
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Partner
    Folder Deleted : C:\ProgramData\Premium
    Folder Deleted : C:\Users\Miche\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbiamblgmkgbcgbcgejjgebalncpmhnp
    Folder Deleted : C:\Users\Miche\AppData\LocalLow\boost_interprocess
    Folder Deleted : C:\Users\Miche\AppData\LocalLow\facemoods.com

    ***** [Registry] *****

    Key Deleted : HKCU\Software\1ClickDownload
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1B48071-416D-474E-A13B-BE5456E7FC31}
    Key Deleted : HKCU\Software\StartSearch
    Key Deleted : HKCU\Software\SweetIM
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\MyNewsBarLauncher.IE5BarLauncher
    Key Deleted : HKLM\SOFTWARE\Classes\MyNewsBarLauncher.IE5BarLauncher.1
    Key Deleted : HKLM\SOFTWARE\Classes\MyNewsBarLauncher.IE5BarLauncherBHO
    Key Deleted : HKLM\SOFTWARE\Classes\MyNewsBarLauncher.IE5BarLauncherBHO.1
    Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{79D60450-56C5-4A8C-9321-6D5BC2A81E5A}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99C22A61-21BA-4F81-85FF-CDC9EB5DB10B}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BB7256DD-EBA9-480B-8441-A00388C2BEC3}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\Iminent
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\facemoodssrv_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\facemoodssrv_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1B48071-416D-474E-A13B-BE5456E7FC31}
    Key Deleted : HKLM\Software\SweetIM
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A1B48071-416D-474E-A13B-BE5456E7FC31}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pbiamblgmkgbcgbcgejjgebalncpmhnp
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\LiveVDO plugin
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : HKLM\SOFTWARE\Software
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}]
    Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run []
    Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7601.17514

    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://start.facemoods.com/?a=bf&s={searchTerms}&f=4 --> hxxp://www.google.com

    -\\ Mozilla Firefox v18.0 (en-US)

    File : C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\prefs.js

    C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\user.js ... Deleted !

    Deleted : user_pref("browser.search.order.1", "Ask.com");
    Deleted : user_pref("extensions.crossriderapp435.435.active", true);
    Deleted : user_pref("extensions.crossriderapp435.435.affid", "0");
    Deleted : user_pref("extensions.crossriderapp435.435.backgroundjs", "\nfunction buttonClick() { \n \n [...]
    Deleted : user_pref("extensions.crossriderapp435.435.backgroundver", 8);
    Deleted : user_pref("extensions.crossriderapp435.435.certdomaininstaller", "");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.value", "%221329253335%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_geo.expiration", "Sun Aug 19 2012 13:23:30 GM[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_geo.value", "%7B%22geoplugin_request%22%3A%22[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030 0[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.value", "%2218727%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:00[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.value", "%2219382%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.value", "1466");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.expiration", "Fri Feb 01 2030 [...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.value", "14969");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.expiration", "Fri Feb 01 2030 00:00:00[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.value", "%222993%22");
    Deleted : user_pref("extensions.crossriderapp435.435.description", "Premiumplay Codec check");
    Deleted : user_pref("extensions.crossriderapp435.435.domain", "");
    Deleted : user_pref("extensions.crossriderapp435.435.emailsig", "");
    Deleted : user_pref("extensions.crossriderapp435.435.exposesites", "");
    Deleted : user_pref("extensions.crossriderapp435.435.fbremoteurl", "");
    Deleted : user_pref("extensions.crossriderapp435.435.group", 0);
    Deleted : user_pref("extensions.crossriderapp435.435.homepage", "");
    Deleted : user_pref("extensions.crossriderapp435.435.iframe", false);
    Deleted : user_pref("extensions.crossriderapp435.435.js", "\n//------------------ PLUGIN app_435_specific STA[...]
    Deleted : user_pref("extensions.crossriderapp435.435.name", "Codec-V");
    Deleted : user_pref("extensions.crossriderapp435.435.premium", true);
    Deleted : user_pref("extensions.crossriderapp435.435.publisher", "Premiumplay");
    Deleted : user_pref("extensions.crossriderapp435.435.settingsurl", "");
    Deleted : user_pref("extensions.crossriderapp435.435.thankyou", "");
    Deleted : user_pref("extensions.crossriderapp435.435.ver", 57);
    Deleted : user_pref("extensions.crossriderapp435.apps", "435");
    Deleted : user_pref("extensions.crossriderapp435.bic", "1310f0d7d581566238fb94bfcc5ddb37");
    Deleted : user_pref("extensions.crossriderapp435.cid", 435);
    Deleted : user_pref("extensions.crossriderapp435.firstrun", false);
    Deleted : user_pref("extensions.crossriderapp435.hadappinstalled", true);
    Deleted : user_pref("extensions.crossriderapp435.installationdate", 1310217568);
    Deleted : user_pref("extensions.crossriderapp435.jsver", 3);
    Deleted : user_pref("extensions.crossriderapp435.lastcheck", 22412903);
    Deleted : user_pref("extensions.crossriderapp435.lastcheckitem", 22413171);
    Deleted : user_pref("extensions.crossriderapp435.misc.lastBgWorkerTimer", "1344790680664");
    Deleted : user_pref("extensions.crossriderapp435.misc.lastDomWorkerTimer", "1344790680635");
    Deleted : user_pref("extensions.facemoods.aflt", "_#bf");
    Deleted : user_pref("extensions.facemoods.firstRun", false);
    Deleted : user_pref("extensions.facemoods.lastActv", "10");
    Deleted : user_pref("vshare.install.date", "1284249600000");
    Deleted : user_pref("vshare.install.finished", "1.0.0");
    Deleted : user_pref("vshare.install.guid", "{60fefd9a-6d9c-4b02-bc77-d4d831c3ebae}");
    Deleted : user_pref("vshare.install.isHidden", true);
    Deleted : user_pref("vshare.install.laststatreq", "1304726400000");
    Deleted : user_pref("vshare.install.newtab", false);

    -\\ Google Chrome v24.0.1312.52

    File : C:\Users\Miche\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [11248 octets] - [18/01/2013 16:59:13]

    ########## EOF - C:\AdwCleaner[S1].txt - [11309 octets] ##########











    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Miche [Admin rights]
    Mode : Scan -- Date : 01/18/2013 17:09:07

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [TASK][SUSP PATH] 43943e38 : C:\Users\Miche\AppData\Local\Temp\\setup4274450624.exe -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [Tr.Karagany][FOLDER] plugs : C:\Users\Miche\AppData\Roaming\Adobe\plugs --> FOUND
    [Tr.Karagany][FOLDER] shed : C:\Users\Miche\AppData\Roaming\Adobe\shed --> FOUND

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost #[IPv6]
    127.0.0.1 fr.a2dfp.net
    127.0.0.1 m.fr.a2dfp.net
    127.0.0.1 ad.a8.net
    127.0.0.1 asy.a8ww.net
    127.0.0.1 abcstats.com
    127.0.0.1 a.abv.bg
    127.0.0.1 adserver.abv.bg
    127.0.0.1 adv.abv.bg
    127.0.0.1 bimg.abv.bg
    127.0.0.1 ca.abv.bg
    127.0.0.1 www2.a-counter.kiev.ua
    127.0.0.1 track.acclaimnetwork.com
    127.0.0.1 accuserveadsystem.com
    127.0.0.1 www.accuserveadsystem.com
    127.0.0.1 achmedia.com
    127.0.0.1 aconti.net
    127.0.0.1 secure.aconti.net
    127.0.0.1 www.aconti.net #[Dialer.Aconti]
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++
    --- User ---
    [MBR] 609dd1782ff892f180036f50986bac5b
    [BSP] 322ddc5a98f6aa570f013d3ade36164f : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 444859 Mo
    2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 914145280 | Size: 19622 Mo
    3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954331136 | Size: 10958 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_01182013_02d1709.txt >>
    RKreport[1]_S_01182013_02d1709.txt
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,382
    First Name:
    Kevin
    Run the following:

    Quit all programs that you may have started.

    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator" to start
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[?].txt on your Desktop
    • Exit/Close RogueKiller

    Next,

    Download OTL from any of the following links and save to your desktop.

    http://itxassociates.com/OT-Tools/OTL.com
    http://oldtimer.geekstogo.com/OTL.exe
    http://www.itxassociates.com/OT-Tools/OTL.scr

    Double click the icon to start the tool. (Note: If you are running on Vista or Windows 7 accept UAC alert)

    • When the window appears, underneath Output at the top, make sure Standard output is selected.
    • Select Scan all users
    • Under the Extra Registry section, check Use SafeList
    • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
    • Click Run Scan and let the program run uninterrupted.
    • When the scan is complete, two text files will be created on your Desktop.
    • OTL.Txt <- this one will be opened
    • Extras.txt <- this one will be minimized

    Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTL.Txt and the Extras.txt in your next reply.

    Kevin...
     
  9. Miche

    Miche Thread Starter

    Joined:
    Mar 19, 2005
    Messages:
    29
    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Miche [Admin rights]
    Mode : Remove -- Date : 01/18/2013 18:46:48

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [TASK][SUSP PATH] 43943e38 : C:\Users\Miche\AppData\Local\Temp\\setup4274450624.exe -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [Tr.Karagany][FOLDER] ROOT : C:\Users\Miche\AppData\Roaming\Adobe\plugs --> REMOVED
    [Tr.Karagany][FOLDER] ROOT : C:\Users\Miche\AppData\Roaming\Adobe\shed --> REMOVED

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost #[IPv6]
    127.0.0.1 fr.a2dfp.net
    127.0.0.1 m.fr.a2dfp.net
    127.0.0.1 ad.a8.net
    127.0.0.1 asy.a8ww.net
    127.0.0.1 abcstats.com
    127.0.0.1 a.abv.bg
    127.0.0.1 adserver.abv.bg
    127.0.0.1 adv.abv.bg
    127.0.0.1 bimg.abv.bg
    127.0.0.1 ca.abv.bg
    127.0.0.1 www2.a-counter.kiev.ua
    127.0.0.1 track.acclaimnetwork.com
    127.0.0.1 accuserveadsystem.com
    127.0.0.1 www.accuserveadsystem.com
    127.0.0.1 achmedia.com
    127.0.0.1 aconti.net
    127.0.0.1 secure.aconti.net
    127.0.0.1 www.aconti.net #[Dialer.Aconti]
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS545050B9A300 +++++
    --- User ---
    [MBR] 609dd1782ff892f180036f50986bac5b
    [BSP] 322ddc5a98f6aa570f013d3ade36164f : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 444859 Mo
    2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 914145280 | Size: 19622 Mo
    3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954331136 | Size: 10958 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[3]_D_01182013_02d1846.txt >>
    RKreport[1]_S_01182013_02d1709.txt ; RKreport[2]_S_01182013_02d1846.txt ; RKreport[3]_D_01182013_02d1846.txt








    OTL logfile created on: 1/18/2013 6:51:07 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Miche\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    3.84 Gb Total Physical Memory | 2.69 Gb Available Physical Memory | 69.92% Memory free
    7.68 Gb Paging File | 6.13 Gb Available in Paging File | 79.86% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 434.43 Gb Total Space | 33.79 Gb Free Space | 7.78% Space Free | Partition Type: NTFS

    Computer Name: MICHE-TOSHIBA | User Name: Miche | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/01/18 18:48:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Miche\Downloads\OTL.com
    PRC - [2012/12/18 14:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/05/24 10:33:30 | 001,840,128 | ---- | M] (MAGIX AG) -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
    PRC - [2011/04/14 16:07:58 | 000,173,888 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe
    PRC - [2011/04/13 17:06:56 | 001,000,768 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\ApVxdWin.exe
    PRC - [2010/10/20 15:49:18 | 000,202,048 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe
    PRC - [2010/08/16 14:54:46 | 000,028,992 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\psksvc.exe
    PRC - [2010/06/04 10:37:50 | 000,314,176 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe
    PRC - [2010/05/28 13:42:32 | 000,225,600 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\AVENGINE.EXE
    PRC - [2010/04/22 18:29:12 | 000,107,776 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\WebProxy.exe
    PRC - [2010/02/23 12:09:34 | 000,111,872 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavBckPT.exe
    PRC - [2009/11/26 17:03:56 | 000,226,560 | ---- | M] (Panda Security International) -- c:\Program Files (x86)\Panda Security\Panda Internet Security 2012\FIREWALL\PSHost.exe
    PRC - [2009/08/10 14:46:08 | 000,173,312 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsCtrlS.exe
    PRC - [2009/07/29 04:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    PRC - [2009/07/18 03:52:38 | 000,181,616 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    PRC - [2009/07/15 03:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
    PRC - [2009/07/13 23:24:00 | 000,304,496 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    PRC - [2009/03/11 02:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    PRC - [2008/06/27 13:23:00 | 000,091,392 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\SrvLoad.exe
    PRC - [2008/06/19 12:59:50 | 000,108,288 | ---- | M] (Panda Security S.L.) -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsImSvc.exe
    PRC - [2008/02/04 17:26:48 | 000,062,768 | ---- | M] (Panda Security, S.L.) -- C:\Program Files (x86)\Common Files\Panda Security\PavShld\PavPrSrv.exe


    ========== Modules (No Company Name) ==========

    MOD - [2007/02/14 13:55:12 | 000,165,424 | ---- | M] () -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\MiniCrypto.dll
    MOD - [2004/05/19 11:33:12 | 000,507,904 | ---- | M] () -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\LIBXML2.DLL


    ========== Services (SafeList) ==========

    SRV:64bit: - [2009/08/10 19:00:50 | 000,258,928 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
    SRV:64bit: - [2009/08/05 22:20:12 | 000,488,800 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
    SRV:64bit: - [2009/08/04 19:15:06 | 000,826,224 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
    SRV:64bit: - [2009/08/04 02:17:56 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
    SRV:64bit: - [2009/07/28 23:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
    SRV:64bit: - [2009/07/14 01:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/07 17:38:24 | 000,065,904 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\rselect\RSelSvc.exe -- (RSELSVC)
    SRV:64bit: - [2009/03/28 02:10:16 | 000,016,896 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agr64svc.exe -- (AgereModemAudio)
    SRV - [2013/01/13 12:25:36 | 000,115,760 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2013/01/08 22:21:59 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/12/18 14:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/11/09 11:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [On_Demand | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2012/04/22 12:51:04 | 000,720,936 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2011/05/24 10:33:30 | 001,840,128 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs)
    SRV - [2011/04/26 13:54:12 | 002,702,848 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)
    SRV - [2011/04/14 16:07:58 | 000,173,888 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe -- (TPSrv)
    SRV - [2010/10/20 15:49:18 | 000,202,048 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe -- (PAVFNSVR)
    SRV - [2010/08/16 14:54:46 | 000,028,992 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\psksvc.exe -- (PskSvcRetail)
    SRV - [2010/06/04 10:37:50 | 000,314,176 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe -- (PAVSRV)
    SRV - [2010/04/24 11:04:26 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/11/26 17:03:56 | 000,226,560 | ---- | M] (Panda Security International) [Auto | Running] -- c:\Program Files (x86)\Panda Security\Panda Internet Security 2012\FIREWALL\PSHost.exe -- (PSHost)
    SRV - [2009/08/17 18:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
    SRV - [2009/08/10 14:46:08 | 000,173,312 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsCtrlS.exe -- (Panda Software Controller)
    SRV - [2009/07/18 03:52:38 | 000,181,616 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs.exe -- (cfWiMAXService)
    SRV - [2009/07/15 03:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe -- (ConfigFree Gadget Service)
    SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2009/05/22 18:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2009/03/11 02:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
    SRV - [2008/06/19 12:59:50 | 000,108,288 | ---- | M] (Panda Security S.L.) [Auto | Running] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsImSvc.exe -- (PSIMSVC)
    SRV - [2008/02/04 17:26:48 | 000,062,768 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Panda Security\PavShld\PavPrSrv.exe -- (PavPrSrv)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/12/19 12:48:17 | 000,015,928 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\COMFiltr.sys -- (ComFiltr)
    DRV:64bit: - [2012/09/10 11:16:48 | 000,125,304 | ---- | M] (Focusrite Audio Engineering Limited.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ffusb2audio.sys -- (ffusb2audio)
    DRV:64bit: - [2012/04/22 12:51:38 | 000,025,600 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd)
    DRV:64bit: - [2012/03/01 06:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2012/01/09 16:28:20 | 000,019,968 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcd)
    DRV:64bit: - [2012/01/09 16:28:20 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltjx64.sys -- (UsbserFilt)
    DRV:64bit: - [2012/01/09 16:28:20 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev)
    DRV:64bit: - [2012/01/09 16:28:18 | 000,027,136 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdc)
    DRV:64bit: - [2011/03/11 06:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 06:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2011/01/31 16:41:28 | 000,129,096 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\APPFLT64.SYS -- (APPFLT)
    DRV:64bit: - [2010/11/27 12:07:31 | 000,019,528 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hitmanpro35.sys -- (hitmanpro35)
    DRV:64bit: - [2010/11/20 13:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 11:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 10:43:57 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser)
    DRV:64bit: - [2010/11/13 10:29:48 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
    DRV:64bit: - [2010/09/09 16:23:00 | 000,078,920 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\idsflt64.sys -- (IDSFLT)
    DRV:64bit: - [2010/09/01 11:09:12 | 000,216,648 | ---- | M] (Panda Security, S.L.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\n64i1644.sys -- (NETIMFLT01060044)
    DRV:64bit: - [2010/06/22 18:20:18 | 000,030,792 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\pavboot64.sys -- (pavboot)
    DRV:64bit: - [2010/05/21 13:50:50 | 000,065,608 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\amm6460.sys -- (AmFSM)
    DRV:64bit: - [2010/04/26 17:23:08 | 001,103,904 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtl8192se.sys -- (rtl8192se)
    DRV:64bit: - [2009/10/27 12:07:42 | 000,048,136 | ---- | M] (Panda Security, S.L.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\ShldFlt.sys -- (ShldFlt)
    DRV:64bit: - [2009/09/25 14:54:08 | 000,074,760 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\wnmflt64.sys -- (WNMFLT)
    DRV:64bit: - [2009/09/25 14:54:06 | 000,170,504 | ---- | M] (Panda Security, S.L.) [TDI Layer] [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NETTDI64.SYS -- (NETFLTDI)
    DRV:64bit: - [2009/09/25 14:54:02 | 000,082,952 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\dsaflt64.sys -- (DSAFLT)
    DRV:64bit: - [2009/09/25 14:54:02 | 000,031,752 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\fnetm64.sys -- (FNETMON)
    DRV:64bit: - [2009/08/27 16:07:06 | 007,369,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2009/07/31 04:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
    DRV:64bit: - [2009/07/24 23:57:08 | 000,482,384 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tos_sps64.sys -- (tos_sps64)
    DRV:64bit: - [2009/07/21 22:03:34 | 001,208,320 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
    DRV:64bit: - [2009/07/21 01:48:32 | 000,274,480 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
    DRV:64bit: - [2009/07/14 23:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
    DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/07/02 22:55:38 | 000,044,912 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)
    DRV:64bit: - [2009/06/23 01:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
    DRV:64bit: - [2009/06/20 03:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
    DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 20:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/06/05 02:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
    DRV:64bit: - [2009/05/23 06:52:30 | 000,215,040 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2008/06/27 12:51:10 | 000,088,632 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\windows\SysNative\drivers\adfs.sys -- (adfs)
    DRV:64bit: - [2008/05/06 15:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
    DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.ca/welcome
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.ca/welcome
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE:64bit: - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSCA&bmod=TSCA
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSCA&bmod=TSCA
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA


    IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

    IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.ca/welcome
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.ca/welcome
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA_enCA358
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..\SearchScopes\{EF98AC9F-E006-4B67-A19E-0FCA0FE6995B}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYGB&apn_uid=AE0A2E7A-C352-44C4-AB96-EF44CB825DB7&apn_sauid=D93F31DA-EC2D-440C-A0CD-0D82314359BF
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultengine: "Google"
    FF - prefs.js..browser.search.defaultenginename: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0
    FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0
    FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.76
    FF - prefs.js..extensions.enabledItems: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}:3.0.5
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nokia.com/EnablerPlugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( )
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll File not found
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/04/13 15:17:33 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\ProgramData\CodecCheck\firefox [2011/10/29 14:43:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/02/26 20:55:34 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/13 12:25:37 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/01/18 16:59:18 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{A5541EBC-E138-4481-B966-C2B1016C7AE9}: C:\Users\Miche\AppData\Local\{A5541EBC-E138-4481-B966-C2B1016C7AE9}\ [2011/04/19 19:33:33 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/13 12:25:37 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/01/18 16:59:18 | 000,000,000 | ---D | M]

    [2009/12/17 13:42:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Miche\AppData\Roaming\Mozilla\Extensions
    [2013/01/12 15:16:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions
    [2011/02/20 13:22:38 | 000,000,000 | ---D | M] (CookieSafe) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
    [2013/01/12 15:16:18 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    [2012/06/29 19:56:35 | 000,000,000 | ---D | M] (Bitdefender QuickScan) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    [2013/01/08 12:35:23 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\[email protected]
    [2013/01/12 15:16:37 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\[email protected]
    [2013/01/07 20:22:46 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    [2011/09/18 23:22:15 | 000,087,923 | ---- | M] () (No name found) -- C:\Users\Miche\AppData\Roaming\Mozilla\Firefox\Profiles\0mkqp9ms.default\extensions\{dd05fd3d-18df-4ce4-ae53-e795339c5f01}.xpi
    [2013/01/13 12:25:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2013/01/13 12:25:26 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    [2013/01/13 12:25:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
    [2013/01/13 12:25:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
    [2013/01/13 12:25:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
    [2013/01/13 12:25:25 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]
    [2013/01/13 12:25:36 | 000,262,704 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2011/04/14 13:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\mozilla firefox\components\Scriptff.dll
    [2010/03/31 10:09:22 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\PDFNetC.dll
    [2010/04/08 12:36:02 | 000,107,760 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\ScorchPDFWrapper.dll
    [2012/08/29 15:42:10 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/10/11 21:29:54 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - homepage: http://www.google.com
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
    CHR - homepage: http://www.google.com
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.52\PepperFlash\pepflashplayer.dll
    CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.52\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.52\pdf.dll
    CHR - plugin: LiveVDO plug-in (Enabled) = C:\Users\Miche\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbiamblgmkgbcgbcgejjgebalncpmhnp\1.3_0\chvsharetvplg.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
    CHR - plugin: ScorchPlugin (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\NPSibelius.dll
    CHR - plugin: LiveVDO plug-in (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npvsharetvplg.dll
    CHR - plugin: NPCIG.dll (Enabled) = C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll
    CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    CHR - plugin: DivX Plus Web Player (Enabled) = C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
    CHR - plugin: Java(TM) Platform SE 6 U37 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    CHR - plugin: Nokia Suite Enabler Plugin (Enabled) = C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
    CHR - plugin: Java Deployment Toolkit 6.0.370.6 (Enabled) = C:\windows\SysWOW64\npdeployJava1.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll

    O1 HOSTS File: ([2011/10/13 13:37:30 | 000,612,606 | ---- | M]) - C:\Windows\SysNative\drivers\etc\HOSTS
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost #[IPv6]
    O1 - Hosts: 127.0.0.1 fr.a2dfp.net
    O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
    O1 - Hosts: 127.0.0.1 ad.a8.net
    O1 - Hosts: 127.0.0.1 asy.a8ww.net
    O1 - Hosts: 127.0.0.1 abcstats.com
    O1 - Hosts: 127.0.0.1 a.abv.bg
    O1 - Hosts: 127.0.0.1 adserver.abv.bg
    O1 - Hosts: 127.0.0.1 adv.abv.bg
    O1 - Hosts: 127.0.0.1 bimg.abv.bg
    O1 - Hosts: 127.0.0.1 ca.abv.bg
    O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
    O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
    O1 - Hosts: 127.0.0.1 accuserveadsystem.com
    O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
    O1 - Hosts: 127.0.0.1 achmedia.com
    O1 - Hosts: 127.0.0.1 aconti.net
    O1 - Hosts: 127.0.0.1 secure.aconti.net
    O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
    O1 - Hosts: 127.0.0.1 am1.activemeter.com
    O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
    O1 - Hosts: 127.0.0.1 ads.activepower.net
    O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
    O1 - Hosts: 127.0.0.1 ad2games.com
    O1 - Hosts: 16290 more lines...
    O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll (Google Inc.)
    O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
    O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3:64bit: - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3 - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4:64bit: - HKLM..\Run: [] File not found
    O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
    O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\windows\SysNative\hkcmd.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [IgfxTray] C:\windows\SysNative\igfxtray.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [Persistence] C:\windows\SysNative\igfxpers.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [AdobeCS6ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [APVXDWIN] C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\APVXDWIN.EXE (Panda Security, S.L.)
    O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
    O4 - HKLM..\Run: [SCANINICIO] C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\Inicio.exe (Panda Security, S.L.)
    O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
    O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O8:64bit: - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe (PokerStars)
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O1364bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O15 - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..Trusted Domains: o2.co.uk ([*.broadband] http in Local intranet)
    O15 - HKU\S-1-5-21-1968138902-702311131-2062755994-1000\..Trusted Domains: o2.co.uk ([*.broadband] https in Local intranet)
    O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 10.1.0)
    O16:64bit: - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} http://download.sopcast.cn/download/SOPCORE.CAB (Reg Error: Key error.)
    O16:64bit: - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (Reg Error: Key error.)
    O16:64bit: - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
    O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AF9DB8C2-72B8-4C25-873B-CF2061A430A4}: DhcpNameServer = 192.168.1.254
    O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (c:\windows\syswow64\userinit.exe) - c:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20:64bit: - Winlogon\Notify\avldr: DllName - (avldr64.dll) - C:\windows\SysNative\avldr64.dll (On-Access Anti-Malware Scanner Sync)
    O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\windows\SysNative\igfxdev.dll (Intel Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/01/18 17:08:10 | 000,000,000 | ---D | C] -- C:\Users\Miche\Desktop\RK_Quarantine
    [2013/01/13 12:25:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
    [2013/01/11 17:20:55 | 000,000,000 | ---D | C] -- C:\ProgramData\regid.1986-12.com.adobe
    [2013/01/10 18:59:10 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Roaming\Artisteer
    [2013/01/10 18:58:10 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Local\SkinSoft
    [2013/01/10 18:57:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Artisteer 3
    [2013/01/10 18:56:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Artisteer 3
    [2013/01/09 14:11:03 | 000,000,000 | ---D | C] -- C:\windows\PCHEALTH
    [2013/01/09 08:56:15 | 000,750,592 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\win32spl.dll
    [2013/01/09 08:56:14 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\win32spl.dll
    [2013/01/09 08:55:54 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ncrypt.dll
    [2013/01/09 08:55:53 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\usp10.dll
    [2013/01/09 08:55:45 | 000,045,568 | ---- | C] (Microsoft) -- C:\windows\SysWow64\oflc-nz.rs
    [2013/01/09 08:55:45 | 000,045,568 | ---- | C] (Microsoft) -- C:\windows\SysNative\oflc-nz.rs
    [2013/01/09 08:55:45 | 000,043,520 | ---- | C] (Microsoft) -- C:\windows\SysWow64\csrr.rs
    [2013/01/09 08:55:45 | 000,043,520 | ---- | C] (Microsoft) -- C:\windows\SysNative\csrr.rs
    [2013/01/09 08:55:44 | 000,046,592 | ---- | C] (Microsoft) -- C:\windows\SysWow64\fpb.rs
    [2013/01/09 08:55:44 | 000,046,592 | ---- | C] (Microsoft) -- C:\windows\SysNative\fpb.rs
    [2013/01/09 08:55:43 | 000,044,544 | ---- | C] (Microsoft) -- C:\windows\SysWow64\pegibbfc.rs
    [2013/01/09 08:55:43 | 000,044,544 | ---- | C] (Microsoft) -- C:\windows\SysNative\pegibbfc.rs
    [2013/01/09 08:55:43 | 000,040,960 | ---- | C] (Microsoft) -- C:\windows\SysWow64\cob-au.rs
    [2013/01/09 08:55:43 | 000,040,960 | ---- | C] (Microsoft) -- C:\windows\SysNative\cob-au.rs
    [2013/01/09 08:55:43 | 000,030,720 | ---- | C] (Microsoft) -- C:\windows\SysWow64\usk.rs
    [2013/01/09 08:55:43 | 000,030,720 | ---- | C] (Microsoft) -- C:\windows\SysNative\usk.rs
    [2013/01/09 08:55:43 | 000,021,504 | ---- | C] (Microsoft) -- C:\windows\SysWow64\grb.rs
    [2013/01/09 08:55:43 | 000,015,360 | ---- | C] (Microsoft) -- C:\windows\SysWow64\djctq.rs
    [2013/01/09 08:55:43 | 000,015,360 | ---- | C] (Microsoft) -- C:\windows\SysNative\djctq.rs
    [2013/01/09 08:55:42 | 000,021,504 | ---- | C] (Microsoft) -- C:\windows\SysNative\grb.rs
    [2013/01/09 08:55:42 | 000,020,480 | ---- | C] (Microsoft) -- C:\windows\SysWow64\pegi-pt.rs
    [2013/01/09 08:55:42 | 000,020,480 | ---- | C] (Microsoft) -- C:\windows\SysNative\pegi-pt.rs
    [2013/01/09 08:55:42 | 000,020,480 | ---- | C] (Microsoft) -- C:\windows\SysWow64\pegi.rs
    [2013/01/09 08:55:42 | 000,020,480 | ---- | C] (Microsoft) -- C:\windows\SysNative\pegi.rs
    [2013/01/09 08:55:41 | 002,746,368 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\gameux.dll
    [2013/01/09 08:55:41 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\Wpc.dll
    [2013/01/09 08:55:40 | 002,576,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\gameux.dll
    [2013/01/09 08:55:40 | 000,308,736 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\Wpc.dll
    [2013/01/09 08:55:29 | 000,051,712 | ---- | C] (Microsoft) -- C:\windows\SysWow64\esrb.rs
    [2013/01/09 08:55:29 | 000,051,712 | ---- | C] (Microsoft) -- C:\windows\SysNative\esrb.rs
    [2013/01/09 08:55:28 | 000,055,296 | ---- | C] (Microsoft) -- C:\windows\SysNative\cero.rs
    [2013/01/09 08:55:28 | 000,023,552 | ---- | C] (Microsoft) -- C:\windows\SysWow64\oflc.rs
    [2013/01/09 08:55:28 | 000,023,552 | ---- | C] (Microsoft) -- C:\windows\SysNative\oflc.rs
    [2013/01/09 08:55:28 | 000,020,480 | ---- | C] (Microsoft) -- C:\windows\SysWow64\pegi-fi.rs
    [2013/01/09 08:55:28 | 000,020,480 | ---- | C] (Microsoft) -- C:\windows\SysNative\pegi-fi.rs
    [2013/01/09 08:55:27 | 000,055,296 | ---- | C] (Microsoft) -- C:\windows\SysWow64\cero.rs
    [2013/01/09 08:54:51 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\KernelBase.dll
    [2013/01/09 08:54:49 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\kernel32.dll
    [2013/01/09 08:54:47 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64win.dll
    [2013/01/09 08:54:47 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\conhost.exe
    [2013/01/09 08:54:47 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64.dll
    [2013/01/09 08:54:47 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\winsrv.dll
    [2013/01/09 08:54:47 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64cpu.dll
    [2013/01/09 08:54:46 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntvdm64.dll
    [2013/01/09 08:54:46 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntvdm64.dll
    [2013/01/09 08:54:46 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wow32.dll
    [2013/01/09 08:54:45 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-string-l1-1-0.dll
    [2013/01/09 08:54:42 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    [2013/01/09 08:54:42 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-file-l1-1-0.dll
    [2013/01/09 08:54:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
    [2013/01/09 08:54:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
    [2013/01/09 08:54:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
    [2013/01/09 08:54:40 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-security-base-l1-1-0.dll
    [2013/01/09 08:54:40 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
    [2013/01/09 08:54:40 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    [2013/01/09 08:54:40 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
    [2013/01/09 08:54:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
    [2013/01/09 08:54:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-util-l1-1-0.dll
    [2013/01/09 08:54:39 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    [2013/01/09 08:54:39 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
    [2013/01/09 08:54:39 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2013/01/09 08:54:39 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    [2013/01/09 08:54:39 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    [2013/01/09 08:54:39 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
    [2013/01/09 08:54:38 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    [2013/01/09 08:54:38 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
    [2013/01/09 08:54:38 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    [2013/01/09 08:54:38 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
    [2013/01/09 08:54:38 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
    [2013/01/09 08:54:37 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-io-l1-1-0.dll
    [2013/01/09 08:54:36 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
    [2013/01/09 08:54:35 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
    [2013/01/09 08:54:34 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    [2013/01/09 08:54:34 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    [2013/01/09 08:54:34 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    [2013/01/09 08:54:34 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    [2013/01/09 08:54:34 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
    [2013/01/09 08:54:34 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
    [2013/01/09 08:54:33 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\setup16.exe
    [2013/01/09 08:54:33 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2013/01/09 08:54:31 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\instnm.exe
    [2013/01/09 08:54:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
    [2013/01/09 08:54:31 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
    [2013/01/09 08:54:30 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
    [2013/01/09 08:54:30 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-console-l1-1-0.dll
    [2013/01/09 08:54:29 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\user.exe
    [2013/01/09 08:54:12 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\taskhost.exe
    [2013/01/07 12:24:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(Default)
    [2013/01/07 12:24:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Focusrite
    [2013/01/07 12:21:12 | 000,125,304 | ---- | C] (Focusrite Audio Engineering Limited.) -- C:\windows\SysNative\drivers\ffusb2audio.sys
    [2013/01/07 12:21:12 | 000,022,392 | ---- | C] (Focusrite Audio Engineering Limited.) -- C:\windows\SysNative\ffusb2audio_coinst.dll
    [2013/01/07 12:21:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Focusrite
    [2013/01/07 12:21:11 | 000,000,000 | ---D | C] -- C:\Program Files\Focusrite
    [2013/01/03 17:06:09 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASIO4ALL v2
    [2013/01/03 17:06:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ASIO4ALL v2
    [2013/01/03 14:56:18 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Roaming\Plogue
    [2013/01/03 14:54:02 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Roaming\Plogue Art et Technologie, Inc
    [2013/01/03 12:37:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\VST2
    [2013/01/03 12:37:06 | 000,000,000 | ---D | C] -- C:\Program Files\Plogue
    [2013/01/03 12:14:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Tonehammer
    [2012/12/28 11:15:38 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Local\112dB
    [2012/12/28 11:12:32 | 000,000,000 | ---D | C] -- C:\Users\Miche\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\112dB
    [2012/12/28 11:12:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\112dB
    [2012/12/27 16:20:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GraphPad Software
    [2012/12/27 16:20:02 | 000,000,000 | ---D | C] -- C:\ProgramData\GraphPad Software
    [2012/12/27 16:20:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GraphPad
    [2012/12/21 23:29:45 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\windows\SysWow64\atmlib.dll
    [2012/12/21 23:29:44 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\windows\SysNative\atmlib.dll
    [2012/12/21 23:29:41 | 000,367,616 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysNative\atmfd.dll
    [2012/12/21 23:29:41 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysWow64\atmfd.dll
    [1 C:\windows\SysWow64\*.tmp files -> C:\windows\SysWow64\*.tmp -> ]
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/01/18 18:21:04 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
    [2013/01/18 18:02:00 | 000,000,898 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
    [2013/01/18 17:09:03 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/01/18 17:09:03 | 000,016,304 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/01/18 17:08:26 | 000,323,020 | ---- | M] () -- C:\windows\SysNative\drivers\APPFCONT.DAT.bck
    [2013/01/18 17:08:26 | 000,323,020 | ---- | M] () -- C:\windows\SysNative\drivers\APPFCONT.DAT
    [2013/01/18 17:05:22 | 000,001,132 | ---- | M] () -- C:\windows\SysNative\drivers\APPFLTR.CFG.bck
    [2013/01/18 17:05:22 | 000,001,132 | ---- | M] () -- C:\windows\SysNative\drivers\APPFLTR.CFG
    [2013/01/18 17:05:22 | 000,000,252 | ---- | M] () -- C:\windows\SysNative\drivers\etc\IdsFlt.cfg.bck
    [2013/01/18 17:05:22 | 000,000,252 | ---- | M] () -- C:\windows\SysNative\drivers\etc\IdsFlt.cfg
    [2013/01/18 17:05:22 | 000,000,092 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetLoc.wlt.bck
    [2013/01/18 17:05:22 | 000,000,092 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetLoc.wlt
    [2013/01/18 17:05:22 | 000,000,068 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetFlt.cfg.bck
    [2013/01/18 17:05:22 | 000,000,068 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetFlt.cfg
    [2013/01/18 17:05:22 | 000,000,056 | ---- | M] () -- C:\windows\SysNative\drivers\etc\WnmFlt.cfg.bck
    [2013/01/18 17:05:22 | 000,000,056 | ---- | M] () -- C:\windows\SysNative\drivers\etc\WnmFlt.cfg
    [2013/01/18 17:05:22 | 000,000,056 | ---- | M] () -- C:\windows\SysNative\drivers\etc\DsaFlt.cfg.bck
    [2013/01/18 17:05:22 | 000,000,056 | ---- | M] () -- C:\windows\SysNative\drivers\etc\DsaFlt.cfg
    [2013/01/18 17:05:21 | 000,303,044 | ---- | M] () -- C:\windows\SysNative\drivers\etc\DsaFlt.rls.bck
    [2013/01/18 17:05:21 | 000,303,044 | ---- | M] () -- C:\windows\SysNative\drivers\etc\DsaFlt.rls
    [2013/01/18 17:02:13 | 000,000,064 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetAR.wlt.bck
    [2013/01/18 17:02:13 | 000,000,064 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetAR.wlt
    [2013/01/18 17:02:10 | 000,000,894 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
    [2013/01/18 17:02:01 | 000,000,136 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetAdapt.cfg.bck
    [2013/01/18 17:02:01 | 000,000,136 | ---- | M] () -- C:\windows\SysNative\drivers\etc\NetAdapt.cfg
    [2013/01/18 17:01:23 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
    [2013/01/18 17:01:16 | 3092,938,752 | -HS- | M] () -- C:\hiberfil.sys
    [2013/01/18 09:54:32 | 000,008,627 | ---- | M] () -- C:\windows\SysWow64\PAV_FOG.OPC
    [2013/01/18 09:25:09 | 000,730,448 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
    [2013/01/18 09:25:09 | 000,631,778 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
    [2013/01/18 09:25:09 | 000,111,870 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
    [2013/01/18 09:22:32 | 000,000,016 | -H-- | M] () -- C:\ProgramData\obtf601
    [2013/01/15 20:28:10 | 601,209,283 | ---- | M] () -- C:\windows\MEMORY.DMP
    [2013/01/15 18:33:12 | 000,365,568 | ---- | M] () -- C:\Users\Miche\Desktop\1j959lg3.exe
    [2013/01/14 17:36:39 | 000,002,250 | ---- | M] () -- C:\Users\Miche\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2013/01/13 13:31:33 | 000,001,672 | ---- | M] () -- C:\Users\Miche\Desktop\Projects.lnk
    [2013/01/13 12:35:15 | 000,002,055 | -H-- | M] () -- C:\Users\Miche\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2013/01/12 15:04:10 | 000,002,226 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
    [2013/01/10 18:57:37 | 000,001,120 | ---- | M] () -- C:\Users\Miche\Application Data\Microsoft\Internet Explorer\Quick Launch\Artisteer 3.lnk
    [2013/01/10 18:57:37 | 000,001,096 | ---- | M] () -- C:\Users\Miche\Desktop\Artisteer 3.lnk
    [2013/01/09 14:23:36 | 003,413,416 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
    [2013/01/08 22:21:51 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerApp.exe
    [2013/01/08 22:21:51 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    [2012/12/27 16:20:11 | 000,001,254 | ---- | M] () -- C:\Users\Public\Desktop\GraphPad Prism 6 Demo.lnk
    [1 C:\windows\SysWow64\*.tmp files -> C:\windows\SysWow64\*.tmp -> ]
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/01/15 20:28:10 | 601,209,283 | ---- | C] () -- C:\windows\MEMORY.DMP
    [2013/01/15 18:33:11 | 000,365,568 | ---- | C] () -- C:\Users\Miche\Desktop\1j959lg3.exe
    [2013/01/14 11:43:46 | 000,001,501 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
    [2013/01/12 15:06:04 | 000,001,161 | ---- | C] () -- C:\Users\Miche\Desktop\Mozilla Firefox.lnk
    [2013/01/10 18:57:37 | 000,001,120 | ---- | C] () -- C:\Users\Miche\Application Data\Microsoft\Internet Explorer\Quick Launch\Artisteer 3.lnk
    [2013/01/10 18:57:37 | 000,001,096 | ---- | C] () -- C:\Users\Miche\Desktop\Artisteer 3.lnk
    [2012/12/27 16:20:23 | 000,000,016 | -H-- | C] () -- C:\ProgramData\obtf601
    [2012/12/27 16:20:11 | 000,001,254 | ---- | C] () -- C:\Users\Public\Desktop\GraphPad Prism 6 Demo.lnk
    [2012/06/20 17:14:23 | 000,499,246 | ---- | C] () -- C:\windows\SysWow64\sqlite3.dll
    [2011/06/29 17:43:24 | 000,319,487 | ---- | C] () -- C:\windows\LOOP.exe
    [2011/06/27 20:39:45 | 000,000,016 | ---- | C] () -- C:\windows\SysWow64\msvcsv60.dll
    [2011/06/27 20:39:45 | 000,000,016 | ---- | C] () -- C:\windows\msocreg32.dat
    [2011/04/18 17:24:10 | 000,007,601 | ---- | C] () -- C:\Users\Miche\AppData\Local\Resmon.ResmonCfg
    [2011/04/04 08:03:19 | 000,009,242 | -HS- | C] () -- C:\Users\Miche\AppData\Local\5uf7x7ew17w5i5m2hcr53jciad8cj0rjcb76p0f
    [2011/04/04 08:03:19 | 000,009,242 | -HS- | C] () -- C:\ProgramData\5uf7x7ew17w5i5m2hcr53jciad8cj0rjcb76p0f
    [2010/12/09 11:50:58 | 000,000,036 | ---- | C] () -- C:\Users\Miche\AppData\Local\housecall.guid.cache
    [2010/10/15 10:25:29 | 000,000,020 | ---- | C] () -- C:\Users\Miche\AppData\Roaming\ldcpfk.dat
    [2010/08/17 18:03:04 | 000,000,016 | -H-- | C] () -- C:\ProgramData\obtf503
    [2010/08/04 19:47:54 | 000,000,000 | ---- | C] () -- C:\Users\Miche\AppData\Local\Jsahiya.bin
    [2010/08/04 19:47:53 | 000,000,120 | ---- | C] () -- C:\Users\Miche\AppData\Local\Fxedokaxuwena.dat
    [2010/07/24 17:47:14 | 000,006,144 | ---- | C] () -- C:\Users\Miche\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/12/17 15:40:40 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

    ========== ZeroAccess Check ==========

    [2009/07/14 04:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 05:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 04:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 01:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 12:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 01:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== LOP Check ==========

    [2010/06/27 09:47:47 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Afno
    [2010/12/09 12:44:18 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ahwye
    [2012/04/04 10:54:37 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Applied Acoustics Systems
    [2013/01/10 18:59:10 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Artisteer
    [2012/11/09 11:29:04 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\ASK Video
    [2012/12/10 13:27:51 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Audio Ease
    [2010/01/05 01:56:23 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Azar
    [2010/12/09 12:44:18 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Baun
    [2012/07/07 14:19:12 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\calibre
    [2011/02/06 14:48:55 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Canon
    [2013/01/12 12:33:21 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\CD63D6BA5CFEE601E4B3AF53986D55A5
    [2010/12/09 12:44:18 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Cyvue
    [2012/12/19 12:21:55 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\DriverCure
    [2010/12/09 12:44:18 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Dumoyz
    [2010/12/09 12:44:17 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ehtoh
    [2010/12/09 12:44:17 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ektoy
    [2012/12/08 12:16:12 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\GameHouse
    [2012/12/08 12:18:57 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\GamesCafe
    [2010/08/17 18:03:03 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\GraphPad Software
    [2010/12/09 12:44:17 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Huusy
    [2010/04/23 17:13:26 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ibhywa
    [2010/09/24 04:47:28 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Iboh
    [2010/03/23 14:00:57 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ifsobo
    [2010/12/09 12:44:17 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Isagok
    [2010/02/11 04:08:22 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ivtai
    [2010/08/04 20:26:02 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Izech
    [2012/06/15 11:24:41 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\iZotope
    [2010/08/05 23:59:10 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Katoaw
    [2010/12/09 12:44:17 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Kuyb
    [2012/12/11 20:33:19 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Leadertech
    [2012/12/10 18:38:34 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Lexicon PCM Native
    [2010/06/20 12:44:33 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Lifa
    [2010/11/27 10:06:33 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Luuhna
    [2012/11/07 11:08:54 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\MAGIX
    [2010/12/09 12:44:16 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Myki
    [2010/03/15 20:13:08 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Nitiyt
    [2010/02/22 11:50:19 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Nokia
    [2010/07/12 08:08:53 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ognoe
    [2010/10/18 20:25:51 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Opwaz
    [2012/12/19 12:46:10 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Panda Security
    [2011/07/27 07:02:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\PC Suite
    [2010/12/09 12:44:16 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Qaaqbe
    [2010/10/18 20:25:51 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Qageku
    [2010/12/09 12:44:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Qovy
    [2011/02/20 13:02:01 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\QuickScan
    [2010/12/09 12:27:44 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Registry Mechanic
    [2012/04/10 22:13:12 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\SanDisk
    [2012/12/19 12:21:55 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\SpeedyPC Software
    [2012/08/30 08:41:01 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Sports Interactive
    [2011/01/01 21:17:49 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Steinberg
    [2010/05/05 12:24:30 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Syawu
    [2012/12/19 14:47:40 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\SystemRequirementsLab
    [2009/12/20 01:33:16 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Tific
    [2010/03/20 05:20:30 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Togixa
    [2011/11/12 14:37:57 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Tony George
    [2009/12/19 06:05:45 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Toshiba
    [2010/08/04 19:46:48 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Tyta
    [2010/03/03 08:47:28 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Udvu
    [2012/03/18 09:23:16 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ulead Systems
    [2010/10/16 13:33:06 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Urdaul
    [2010/02/27 16:53:37 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Uthuf
    [2010/12/09 12:44:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Uzsy
    [2012/12/10 13:25:36 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Valhalla DSP, LLC
    [2012/12/10 13:15:44 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\ValhallaRoom
    [2012/12/10 13:15:44 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\ValhallaShimmer
    [2012/12/10 13:15:45 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\ValhallaUberMod
    [2010/10/18 20:21:55 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Vilay
    [2010/12/09 12:44:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Viyryv
    [2010/12/09 12:44:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Voza
    [2012/12/05 12:27:24 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\VST3 Presets
    [2010/12/09 12:44:14 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Vuruox
    [2010/08/23 22:34:38 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Vypoc
    [2010/12/28 17:30:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Waves Audio
    [2009/12/29 01:29:54 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\WildTangent
    [2010/10/17 13:56:15 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\WinBatch
    [2010/10/16 13:33:06 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Woyqib
    [2010/10/18 21:41:41 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Wuxiif
    [2010/02/06 23:43:51 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Xiegyv
    [2010/01/08 15:43:06 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Yfywbu
    [2010/02/08 07:48:27 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Ynot
    [2010/06/21 00:38:28 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Zixaxa
    [2010/10/17 14:22:56 | 000,000,000 | ---D | M] -- C:\Users\Miche\AppData\Roaming\Zyosyp

    ========== Purity Check ==========



    ========== Files - Unicode (All) ==========
    [2010/01/19 16:52:21 | 000,000,180 | ---- | M] ()(C:\windows\SysWow64\?????????????D???I?I???y?ö??????{) -- C:\windows\SysWow64\&#61008;&#139;&#65400;&#139;&#24240;&#30323;&#10511;&#7386;&#65534;&#65535;&#38190;&#30321;&#51422;D&#65535;&#65535;&#63072;I&#63072;I&#65400;&#139;&#1053;y&#48428;ö&#65534;&#65535;&#60504;&#139;&#26186;&#30323;{
    [2010/01/14 13:58:56 | 000,000,180 | ---- | C] ()(C:\windows\SysWow64\?????????????D???I?I???y?ö??????{) -- C:\windows\SysWow64\&#61008;&#139;&#65400;&#139;&#24240;&#30323;&#10511;&#7386;&#65534;&#65535;&#38190;&#30321;&#51422;D&#65535;&#65535;&#63072;I&#63072;I&#65400;&#139;&#1053;y&#48428;ö&#65534;&#65535;&#60504;&#139;&#26186;&#30323;{

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
    @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1

    < End of report >










    OTL Extras logfile created on: 1/18/2013 6:51:07 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Miche\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    3.84 Gb Total Physical Memory | 2.69 Gb Available Physical Memory | 69.92% Memory free
    7.68 Gb Paging File | 6.13 Gb Available in Paging File | 79.86% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 434.43 Gb Total Space | 33.79 Gb Free Space | 7.78% Space Free | Partition Type: NTFS

    Computer Name: MICHE-TOSHIBA | User Name: Miche | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
    .url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)
    .js[@ = jsfile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .jse[@ = JSEFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .vbe[@ = VBEFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .vbs[@ = VBSFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .wsf[@ = WSFFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .wsh[@ = WSHFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)
    .html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
    .js [@ = jsfile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .jse [@ = JSEFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .vbe [@ = VBEFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .vbs [@ = VBSFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .wsf [@ = WSFFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)
    .wsh [@ = WSHFile] -- C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PAVSCRIP.EXE (Panda Security, S.L.)

    [HKEY_USERS\S-1-5-21-1968138902-702311131-2062755994-1000\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    jsfile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    jsefile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    vbefile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    vbsfile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    wsffile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    wshfile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [Digital Photo Professional] -- C:\Program Files (x86)\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    jsfile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    jsefile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    vbefile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    vbsfile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    wsffile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    wshfile [open] -- C:\PROGRA~2\PANDAS~1\PANDAI~1\PAVSCRIP.EXE "%1" %* (Panda Security, S.L.)
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [Digital Photo Professional] -- C:\Program Files (x86)\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 0

    ========== Authorized Applications List ==========


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{25788A49-E504-465F-BB02-4548DD695264}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{31A97A53-1032-400A-B9E0-6C7EE1622955}" = rport=138 | protocol=17 | dir=out | app=system |
    "{33D08A97-FD81-40E1-A24F-288B25C8EB88}" = rport=139 | protocol=6 | dir=out | app=system |
    "{39BA8D3A-CC6B-4661-A691-ADCCEBA9ECFF}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{446E531B-0A59-4218-8C0A-DB1A37F226E5}" = lport=137 | protocol=17 | dir=in | app=system |
    "{49DD8B10-4F4C-4FAE-A815-001BC2DA2CD1}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{53151C5A-3959-47ED-A0DA-2968D1C62FFB}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
    "{6597B774-4F5B-471E-BA58-EF65BE15BDEC}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{73B68FBF-3FC0-4BB8-BAEC-7772C1B576C0}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{73DC6FBA-E18F-41AB-B027-D4AD32E4C0D9}" = rport=137 | protocol=17 | dir=out | app=system |
    "{769D55B3-89AA-430B-9CAD-343343864CB9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{89DF1DF3-4176-4792-AE52-4973518C12AD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{8B091436-C4D6-405D-85B6-757D5C35E5B1}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
    "{8F9155FC-2348-40F5-92D5-44D9F13A23D5}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{9F977D82-1364-442E-B405-25EF0F23DEB7}" = lport=445 | protocol=6 | dir=in | app=system |
    "{A6CC68BC-5756-4171-9EB9-8D89A6F5D491}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{A97BA18D-0273-4CD2-8AD2-DD170957B12E}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{B16A652E-6841-45A2-934D-E9BD47264EEA}" = rport=445 | protocol=6 | dir=out | app=system |
    "{B8103600-80A5-4183-9F10-6DBF178146F6}" = lport=138 | protocol=17 | dir=in | app=system |
    "{C0554B2E-8B14-450A-B346-F6C929274EC5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{E7E961A2-BB44-453F-B83A-3A2F8E19A5BD}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{E9C40472-98A6-430E-8CBF-EE5F2E293EA5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
    "{F01553BA-1DD4-432F-851A-C9A6B6F6FB4F}" = lport=139 | protocol=6 | dir=in | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{007FC677-DCCA-473E-9EF7-DE5F8105436D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{08AEB0A1-4726-42D9-BAC5-609D6D2EB759}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
    "{08F79B58-8382-4990-9378-B0FEAF894980}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\supportsoft\bin\ssrc.exe |
    "{0BC53D85-6AC3-42F9-A94A-A4EF1492175B}" = protocol=17 | dir=in | app=c:\program files (x86)\o2\bin\wificfg.exe |
    "{10D3BCB8-D6C7-429C-9938-501574D8038B}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{14AAD9D1-9007-43DB-A600-A602BFC5308F}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{1BCDA5ED-4049-4DAE-9EAE-69AD722BAAA7}" = protocol=6 | dir=in | app=c:\program files (x86)\o2\agent\bin\bcont.exe |
    "{2621884D-A20E-434C-B9AE-34A800AC74D2}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\supportsoft\bin\ssrc.exe |
    "{280C5C13-6F74-4064-A9D2-7F1C51227F19}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
    "{2EF3126B-B979-4D19-A22E-8A56922CCB1F}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
    "{307DF8E9-10C9-428A-ADAD-E87ACE6A9F47}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
    "{36A7A3B4-6018-4A2E-8F50-FBA1C65865DC}" = protocol=17 | dir=in | app=c:\program files (x86)\o2\agent\bin\bcont_nm.exe |
    "{382E1D69-74A3-41C3-B00E-26628945C702}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{3FD10660-51F6-40EE-AE3B-8593468139AA}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{40389410-8E58-4F3F-85FE-2AE80997745B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{49005743-C910-47DE-9CF0-DFFA364948B5}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
    "{51A36A55-1ACB-429C-819D-9642DD110E92}" = protocol=58 | dir=in | [email protected],-28545 |
    "{54904D15-AE04-4273-A3B0-39FA94968819}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{5792F4A8-B929-40AE-98FD-26541612E079}" = dir=in | app=c:\program files (x86)\nokia\nokia suite\nokiasuite.exe |
    "{5E5B472C-2398-454F-9AD6-75D4AD54ED40}" = protocol=6 | dir=in | app=c:\program files (x86)\o2\bin\wificfg.exe |
    "{66C902B7-4FB6-437A-A616-DF1C0D9FE94B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{6E27BDD6-DF45-4AA5-9C84-38E94784E289}" = protocol=17 | dir=in | app=c:\program files (x86)\o2\agent\bin\bcont.exe |
    "{7807BC78-D03A-45FF-B616-2CF8BADA84B3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{88CE7107-8263-4187-AA22-B1C129D26497}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB71129A-D2BE-49E6-9EFF-6AFFD92DDCEE}" = protocol=58 | dir=out | [email protected],-28546 |
    "{AFE1D5C6-1CEE-4B05-95A7-D6E7F47D6927}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{B4DEB4DF-D579-45AA-BC6B-FE5C43C9FDC5}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
    "{B5AE73D4-6355-4B88-BC63-66189204C35A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{B90EDFF4-A543-4A5D-AD46-A0ADC6731274}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
    "{BA7012F9-E753-4BA4-B759-EA0000D14A30}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{CB2002F7-3367-475E-BAEB-6EA5E08C80EA}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
    "{CD3E63D9-8B4C-4304-9F11-675554C4C340}" = protocol=1 | dir=in | [email protected],-28543 |
    "{D07B04DB-383C-49AE-AE57-D34A54547374}" = protocol=6 | dir=in | app=c:\program files (x86)\o2\agent\bin\bcont_nm.exe |
    "{D16A19A2-E5DB-4E07-A606-68AA948A055C}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
    "{D3FBDFD8-5AB8-4D00-8AF9-9651EC22AE46}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
    "{E5C05A60-3AAE-42E2-87D9-0AC3F8B17AE5}" = protocol=6 | dir=out | app=system |
    "{F5C971C4-48BC-4637-994D-F3531E18157E}" = protocol=1 | dir=out | [email protected],-28544 |
    "{F760AAC2-FA89-4C95-80C2-5C752C646F66}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "TCP Query User{04373121-5EB5-43DB-833E-AAE1ECBC9A7D}C:\program files (x86)\panda security\panda internet security 2012\apvxdwin.exe" = protocol=6 | dir=in | app=c:\program files (x86)\panda security\panda internet security 2012\apvxdwin.exe |
    "TCP Query User{175481B0-895A-4F77-8578-574233F7F227}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "TCP Query User{187B2CC9-A142-4B2C-8C94-49D762887FEB}C:\program files (x86)\sopcast\sopcast.exe" = protocol=6 | dir=in | app=c:\program files (x86)\sopcast\sopcast.exe |
    "TCP Query User{6B116C7A-FE07-4099-AD83-4A8DC70B38B9}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
    "TCP Query User{7F1FC440-7E66-4769-A64F-CBBDEA8D6D49}C:\program files (x86)\sopcast\adv\sopadver.exe" = protocol=6 | dir=in | app=c:\program files (x86)\sopcast\adv\sopadver.exe |
    "TCP Query User{CAC260F6-892C-4B82-91E7-5B9DCFB16866}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "UDP Query User{05B9DA46-2046-4986-88FB-A47B116D86B8}C:\program files (x86)\sopcast\adv\sopadver.exe" = protocol=17 | dir=in | app=c:\program files (x86)\sopcast\adv\sopadver.exe |
    "UDP Query User{1B91ED0E-5756-4635-9819-72006FCA6C1B}C:\program files (x86)\panda security\panda internet security 2012\apvxdwin.exe" = protocol=17 | dir=in | app=c:\program files (x86)\panda security\panda internet security 2012\apvxdwin.exe |
    "UDP Query User{48E6AF88-1A5A-4A19-B072-B2371153C1B5}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "UDP Query User{4E1ADE7C-2584-4D8C-93F7-066102F24681}C:\program files (x86)\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mozilla firefox\firefox.exe |
    "UDP Query User{8CDA7EE6-7A68-4115-83F7-5DC0B537F5B2}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "UDP Query User{B463BC74-03FB-43F0-AABC-CFE30661DFB1}C:\program files (x86)\sopcast\sopcast.exe" = protocol=17 | dir=in | app=c:\program files (x86)\sopcast\sopcast.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "__ARIA_1009___is1" = Plogue chipsounds
    "{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{1E9E8BA6-FD0B-465D-AFA2-ECE10BF095F9}" = TOSHIBA Bulletin Board
    "{26A24AE4-039D-4CA4-87B4-2F86417001FF}" = Java(TM) 7 Update 1 (64-bit)
    "{4D668D4F-FAA2-4726-834C-31F4614F312E}" = MSVC80_x64_v2
    "{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
    "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    "{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
    "{680EDA59-9266-44B4-949E-0C24F65DFF82}" = Microsoft_VC100_CRT_SP1_x64
    "{68660049-8D48-427C-9FF7-139D8340CDC0}" = MSVC80_x64
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{89F7D66C-777D-473B-AA11-319C0F190EAC}" = TOSHIBA Internal Modem Region Select Utility
    "{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer
    "{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
    "{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
    "{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
    "{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
    "{a085b9f2-e343-4e48-8d4b-e766a66340bc}" = Audio Bro LA Scoring Strings
    "{A39EEEF3-A82A-4706-9F17-5B8355289F31}" = MAGIX PhotoStory on DVD 2013 Deluxe
    "{AB071C8B-873C-459F-ACA9-9EBE03C3E89B}" = MSVC90_x64
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
    "{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
    "{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    "{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
    "{C2DDF845-7107-40E8-8D2A-8719F1799570}" = TOSHIBA ReelTime
    "{CA1DEF51-9B37-45F1-8FF3-27CA47E49F9F}" = MAGIX Speed burnR (MSI)
    "{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
    "{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
    "{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
    "05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
    "4214A1CFC1A368A5078729BFD4B211F0CDB5CEC5" = Windows Driver Package - Focusrite USB 2.0 Audio Driver (09/10/2012 2.4.128.0)
    "8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    "ARIA Engine_is1" = ARIA Engine v1.6.0.2
    "CCleaner" = CCleaner
    "FCEC33AD40CEA5E0FC4CEE6E42041A0DA189652D" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    "Focusrite USB 2.0 Audio Driver_is1" = Focusrite USB 2.0 Audio Driver 2.4
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "HitmanPro35" = Hitman Pro 3.5
    "LTMOH" = LSI V92 MOH Application
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "TOSHIBA Software Modem" = TOSHIBA Software Modem
    "WinRAR archiver" = WinRAR archiver

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
    "{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
    "{04AF207D-9A77-465A-8B76-991F6AB66245}&qu