1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Serious Issues (Malware)

Discussion in 'Virus & Other Malware Removal' started by Seismic101, May 7, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. Seismic101

    Seismic101 Thread Starter

    Joined:
    May 7, 2015
    Messages:
    5
    Hello, I am normally very careful when using my computer but after nearly 5 years of this PC I seemed to have been bitten by some sort of virus. Please help!

    I performed an Avast Anti Virus scan and a Malware Bytes scan which picked up lots of issues. After I seemed to have cleared them, my computer started to do some funny things. Firstly my avast started to spam lots of URL:Mal notifications that seemed to highlight different weblinks.

    Then after I tried to reinstall AV, I started to get window popups such as Microsoft Distributed Transaction Coordinator, notepad, explorer failed. Then I got some exe errors such as PDAPP.exe, jscript.dll and mtxclu.dll. I tried to replace the dll file in the system 32 but it did not give me access saying I was not the owner. I changed owner but this still failed.

    I tried to boot in safe mode but it stops at aswrvrt.sys. I did a DskChk from command which seemed fine. I then started to get Adobe errors. I am working on a premiere pro video but the program no longer starts. I get constant bad image errors.

    Please find the following info from TSG Sys Info :

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Ultimate, Service Pack 1, 64 bit
    Processor: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz, Intel64 Family 6 Model 26 Stepping 5
    Processor Count: 8
    RAM: 6135 Mb
    Graphics Card: NVIDIA GeForce GTX 460, 1023 Mb
    Hard Drives: C: Total - 76216 MB, Free - 4571 MB; D: Total - 953866 MB, Free - 524493 MB; G: Total - 953866 MB, Free - 942950 MB;
    Motherboard: ASUSTeK Computer INC., P6X58D-E
    Antivirus: avast! Antivirus, Disabled

    Please find the following info from DDS :


    DDS.txt :
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.67.2
    Run by Seismic at 23:52:44 on 2015-05-07
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.6135.2420 [GMT 1:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.03\AsSysCtrlService.exe
    C:\ASUS.SYS\config\DVMExportService.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe
    C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\msconfig.exe
    C:\Windows\system32\msdtc.exe
    C:\Users\Seismic\Downloads\SysInfo.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = www.google.com
    uDefault_Search_URL = www.google.com
    mStart Page = www.google.com
    mSearch Bar = hxxps://www.google.com/?trackid=sp-006
    mSearch Page = www.google.com
    mDefault_Page_URL = www.google.com
    mDefault_Search_URL = www.google.com
    BHO: {074C1DC5-9320-4A9A-947D-C042949C6216} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {326E768D-4182-46FD-9C16-1449A49795F4} - <orphaned>
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    uRun: [WTFast Tray] "D:\Program Files (x86)\WTFast\WTFast.exe" trayonly
    uRun: [SiseQdohe] regsvr32.exe "C:\ProgramData\SiseQdohe\LijjuXgasi.nca"
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
    mRun: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "D:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    dRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: SoftwareSASGeneration = dword:1
    mPolicies-Explorer: NoResolveTrack = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoSMBalloonTip = dword:1
    IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
    IE: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm
    IE: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    LSP: %SystemRoot%\system32\WTFastDrv.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0067-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_67-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E55B74AB-0B51-4BAE-A5B5-2531AB5EA4D9} - hxxp://assets.photobox.com/assets/v/9wMLrL7vFWyhXJey6PFIGDYHwIs.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{179A36A3-ED2A-4DBA-A30C-A3211A70C279} : DHCPNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{1D88A6B2-AA4B-4E93-AD56-2D977682456A} : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{3FF9EA1A-F743-4AD1-89E6-427972189BA6} : DHCPNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{4ABC301E-4B82-41E4-986C-19E672A34920} : DHCPNameServer = 192.168.42.129
    TCP: Interfaces\{4DE61CFC-1D7D-4B45-984F-FFDBA2E42760} : DHCPNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{A926DD88-5BEE-403B-BE92-5D9A55390044} : DHCPNameServer = 192.168.42.129
    TCP: Interfaces\{DD94425B-A8FB-4957-82B1-7420F61CDC9A} : DHCPNameServer = 192.168.1.1 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-mStart Page = www.google.com
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - LocalServer32 - <no file>
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Seismic\AppData\Roaming\Mozilla\Firefox\Profiles\e3k5gd9d.default-1350902356995\
    FF - prefs.js: browser.search.defaulturl - hxxps://www.google.com/search/?trackid=sp-006
    FF - prefs.js: browser.search.selectedEngine - Google (avast)
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?trackid=sp-006
    FF - prefs.js: keyword.URL - hxxps://www.google.com/search/?trackid=sp-006
    FF - prefs.js: network.proxy.http - 192.168.6.7
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll
    FF - plugin: D:\Program Files (x86)\Heroes & Generals\live\npretox-1.0.6.1\npretoxlive-1.0.6.1.dll
    FF - plugin: D:\Program Files (x86)\Mozilla Plugins\npitunes.dll
    FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin.dll
    FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin2.dll
    FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin3.dll
    FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin4.dll
    FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin5.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-10 65736]
    R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-3-10 272248]
    R0 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2009-12-25 297512]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-11-21 55280]
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-11-11 1047320]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-11-11 442264]
    R1 RzFilter;RzFilter;C:\Windows\System32\drivers\RzFilter.sys [2014-10-13 74432]
    R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.03\AsSysCtrlService.exe [2011-11-11 90112]
    R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-9-7 29168]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-11-11 89944]
    R2 avast! Antivirus;Avast Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2015-5-6 343336]
    R2 DvmMDES;DeviceVM Meta Data Export Service;C:\ASUS.SYS\config\DVMExportService.exe [2009-10-16 319488]
    R2 RzOvlMon;Razer Overlay Subsystem Emergency Service;C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe [2014-4-18 32960]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-2-9 383264]
    R2 VBoxAswDrv;VBoxAsw Support Driver;C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [2015-5-6 273824]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-23 25816]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-1-22 77824]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-1-22 180224]
    R3 RzDxgk;RzDxgk;C:\Windows\System32\drivers\RzDxgk.sys [2014-10-13 129472]
    R3 rzendpt;rzendpt;C:\Windows\System32\drivers\rzendpt.sys [2014-9-5 39592]
    R3 rzmpos;rzmpos;C:\Windows\System32\drivers\rzmpos.sys [2014-9-5 35496]
    R3 rzudd;Razer Mouse Driver;C:\Windows\System32\drivers\rzudd.sys [2014-9-5 160424]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-5-20 393728]
    S2 aswStm;aswStm;C:\Windows\System32\drivers\aswStm.sys [2014-9-7 137288]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
    S2 MBAMService;MBAMService;D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-9-7 1080120]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-2-18 315488]
    S3 AvastVBoxSvc;AvastVBox COM Service;C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [2015-5-6 4034896]
    S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-5-1 103064]
    S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-12-27 1432400]
    S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\System32\drivers\ggflt.sys [2012-2-23 13352]
    S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-9-7 63704]
    S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-4-5 121416]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-11-14 20992]
    S3 RTCore64;RTCore64;D:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2013-1-23 13368]
    S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-5-1 203672]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-11-14 59392]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
    S3 VCam_WDM;Virtual Webcam 8.0;C:\Windows\System32\drivers\VCam_WDM.sys [2014-2-16 104120]
    S3 WatAdminSvc;WatAdminSvc;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-11-14 1255736]
    S4 Mobile Broadband HL Service;Mobile Broadband HL Service;C:\ProgramData\MobileBrServ\mbbService.exe [2012-10-18 232288]
    .
    =============== File Associations ===============
    .
    ShellExec: dreamweaver.exe: Open="D:\Program Files\Adobe\Adobe Dreamweaver CS5.5\dreamweaver.exe", "%1"
    .
    =============== Created Last 30 ================
    .
    2015-05-07 20:49:39 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
    2015-05-07 03:07:37 -------- d-s---w- C:\Windows\SysWow64\Microsoft
    2015-05-06 22:43:23 -------- d-sh--w- C:\$RECYCLE.BIN
    2015-05-06 22:20:44 98816 ----a-w- C:\Windows\sed.exe
    2015-05-06 22:20:44 256000 ----a-w- C:\Windows\PEV.exe
    2015-05-06 22:20:44 208896 ----a-w- C:\Windows\MBR.exe
    2015-05-06 22:20:14 -------- d-----w- C:\ComboFix
    2015-05-06 21:33:30 -------- d-----w- C:\AdwCleaner
    2015-05-06 21:28:00 -------- d--h--w- C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
    2015-05-06 19:56:37 43112 ----a-w- C:\Windows\avastSS.scr
    2015-05-06 15:55:46 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{857BA3B3-F93D-4129-A17A-D75AF4F467B7}\offreg.dll
    2015-05-06 03:00:10 -------- d--h--w- C:\Users\Seismic\AppData\Roaming\FF1D547E
    2015-05-05 17:34:18 -------- d-----w- C:\Users\Seismic\AppData\Roaming\OxelonMC
    2015-05-05 17:08:02 -------- d-----w- C:\Users\Seismic\AppData\Roaming\lection
    2015-04-26 00:59:35 -------- d-----w- C:\nilesh
    2015-04-26 00:28:47 -------- d-----w- C:\MoTemp
    2015-04-26 00:17:36 1177600 ----a-w- C:\Windows\SysWow64\SYNSOEMU.DLL
    2015-04-26 00:17:29 -------- d-----w- C:\Program Files (x86)\Common Files\VST3
    2015-04-26 00:15:47 -------- d-----w- C:\ProgramData\VST3 Presets
    2015-04-25 23:36:24 -------- d-----w- C:\ProgramData\Steinberg
    2015-04-25 23:35:29 -------- d-----w- C:\Program Files (x86)\Common Files\Steinberg
    2015-04-25 23:34:26 -------- d-----w- C:\Program Files (x86)\Steinberg
    2015-04-25 23:33:57 -------- d-----w- C:\Users\Seismic\AppData\Roaming\Steinberg
    .
    ==================== Find3M ====================
    .
    2015-05-06 23:06:45 136408 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    2015-05-06 19:56:59 272248 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
    2015-05-06 19:56:59 137288 ----a-w- C:\Windows\System32\drivers\aswStm.sys
    2015-05-06 19:56:58 89944 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2015-05-06 19:56:58 65736 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
    2015-05-06 19:56:58 29168 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
    2015-05-06 19:56:57 93528 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2015-05-06 19:56:10 1047320 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2015-05-05 21:06:31 778416 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2015-05-05 21:06:31 142512 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2015-04-26 01:17:01 100864 ----a-w- C:\Windows\System32\fontsub.dll
    2015-04-26 01:13:37 202240 ----a-w- C:\Windows\System32\wbiosrvc.dll
    2015-04-14 08:37:56 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
    2015-04-14 08:37:46 107736 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
    2015-04-14 08:37:42 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2015-03-09 11:32:44 372248 ----a-w- C:\Windows\System32\LavasoftTcpService64.dll
    2015-03-09 11:32:42 325944 ----a-w- C:\Windows\SysWow64\LavasoftTcpService.dll
    2013-03-10 13:52:23 6533200 ----a-w- C:\Program Files\AVAST Sof
    .
    ============= FINISH: 23:54:14.16 ===============
     
  2. Seismic101

    Seismic101 Thread Starter

    Joined:
    May 7, 2015
    Messages:
    5
    attach file from DDS
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/11/2011 23:30:14
    System Uptime: 07/05/2015 20:27:45 (3 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P6X58D-E
    Processor: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz | LGA1366 | 1596/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 4.313 GiB free.
    D: is FIXED (NTFS) - 932 GiB total, 512.201 GiB free.
    G: is FIXED (NTFS) - 932 GiB total, 920.85 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP540: 06/05/2015 16:56:15 - Windows Defender Checkpoint
    RP541: 06/05/2015 20:51:45 - avast! antivirus system restore point
    RP542: 07/05/2015 15:16:15 - Restore Operation
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe AIR
    Adobe Content Viewer
    Adobe Flash Player 12 ActiveX
    Adobe Flash Player 17 NPAPI
    Adobe Flash Professional CS6
    Adobe Help Manager
    Adobe Reader XI
    Adobe Story
    Adobe Widget Browser
    Advanced PC Tweaker v4.2
    Apple Application Support
    Apple Software Update
    Archeage Beta
    ASUSUpdate
    µTorrent
    Autodesk Backburner 2013.0.0
    Autodesk Maya 2013 64-bit
    AutoHotkey 1.0.48.05
    Avast Free Antivirus
    AviSynth 2.5
    AVS Update Manager 1.0
    AVS Video Converter 8
    AVS4YOU Software Navigator 1.4
    Battle.net
    Borderlands 2
    Combined Community Codec Pack 2011-11-11
    Composite 2013 64-bit
    CPUID CPU-Z 1.63.0
    D3DX10
    Diablo III
    DivX Setup
    Don't Starve
    Don't Starve Together Beta
    DVD Audio Extractor 7.1.2
    EPU-6 Engine
    FINAL FANTASY XIV - A Realm Reborn
    Free Studio version 6.5.0.301
    Free YouTube Download version 3.2.20.1230
    Free YouTube to MP3 Converter version 3.12.34.430
    Glyph
    Google Chrome
    Google Update Helper
    Google+ Auto Backup
    Heroes & Generals
    Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
    iTunes
    Java 7 Update 67
    Java 7 Update 67 (64-bit)
    Java Auto Updater
    JavaFX 2.1.0
    lection
    LibUSB-Win32-0.1.10.1
    Malwarebytes Anti-Malware version 2.1.6.1022
    marvell 91xx driver
    Marvell Miniport Driver
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_ATL_x86_x64
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_CRT_x86_x64
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFC_x86_x64
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC80_MFCLOC_x86_x64
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_ATL_x86_x64
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_CRT_x86_x64
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFC_x86_x64
    Microsoft_VC90_MFCLOC_x86
    Microsoft_VC90_MFCLOC_x86_x64
    Mobile Broadband HL Service
    Mozilla Firefox 37.0.2 (x86 en-GB)
    Mozilla Maintenance Service
    MSI Afterburner 2.3.1
    MSI Kombustor 2.5.0
    MSVCRT
    MyPCBU version 2.25
    NC Launcher (GameForge)
    NEC Electronics USB 3.0 Host Controller Driver
    NVIDIA 3D Vision Controller Driver 314.07
    NVIDIA 3D Vision Driver 314.07
    NVIDIA Control Panel 314.07
    NVIDIA Graphics Driver 314.07
    NVIDIA HD Audio Driver 1.3.23.1
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.12.1031
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Update 1.12.12
    NVIDIA Update Components
    Oracle VM VirtualBox 4.3.14
    Oxelon Media Converter 1.1
    Path of Exile
    PC Probe II
    PDF Settings CS5
    PDF Settings CS6
    PhotoME
    Picasa 3
    Plus500
    PowerISO
    PSP Video 9 6
    PunkBuster Services
    PxMergeModule
    QuickTime 7
    Razer Core
    Razer Synapse 2.0
    RightNow (photobox_en)
    SAMSUNG USB Driver for Mobile Phones
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype™ 7.3
    SopCast 3.4.7
    South Park™: The Stick of Truth™
    Steam
    Steinberg Cubase 5
    Steinberg Drum Loop Expansion 01
    Steinberg Groove Agent ONE Content
    Steinberg HALionOne
    Steinberg HALionOne Additional Content Set 01
    Steinberg HALionOne Expression Set
    Steinberg HALionOne GM Drum Set
    Steinberg HALionOne GM Set
    Steinberg HALionOne Pro Set
    Steinberg HALionOne Studio Drum Set
    Steinberg HALionOne Studio Set
    Steinberg LoopMash Content
    Steinberg REVerence Content 01
    Team Fortress 2
    TeamSpeak 3 Client
    The Logo Creator v5.2
    Titledrome Lite 2012.1
    Trust Webcam 15007
    TurboV
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC80CRTRedist - 8.0.50727.6195
    Ventrilo Client
    Ventrilo Client for Windows x64
    VLC media player 2.0.0
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR 4.10 beta 3 (64-bit)
    WTFast 3.2
    Yahoo! Messenger
    .
    ==== End Of File ===========================
     
  3. Seismic101

    Seismic101 Thread Starter

    Joined:
    May 7, 2015
    Messages:
    5
    I also ran a Gmer Rootkit Scan (PART 1)

    GMER 2.1.19357 - http://www.gmer.net
    Rootkit scan 2015-05-08 01:20:32
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST380815AS rev.4.AAB 74.53GB
    Running: b0ixj1ux.exe; Driver: C:\Users\Seismic\AppData\Local\Temp\axlirfoc.sys

    ---- User code sections - GMER 2.1 ----

    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000100120460
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000100120450
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000100120370
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000100120470
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 00000001001203e0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000100120320
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 00000001001203b0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000100120390
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 00000001001202e0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 00000001001202d0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000100120310
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 00000001001203c0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 00000001001203f0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000100120230
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0xffffffff892de890}
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000100120480
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 00000001001203a0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 00000001001202f0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000100120350
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000100120290
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 00000001001202b0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 00000001001203d0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000100120330
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0xffffffff892de590}
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000100120410
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000100120240
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 00000001001201e0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000100120250
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0xffffffff892de090}
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000100120490
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 00000001001204a0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000100120300
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000100120360
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 00000001001202a0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 00000001001202c0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000100120380
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000100120340
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000100120440
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000100120260
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000100120270
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000100120400
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 00000001001201f0
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000100120210
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000100120200
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000100120420
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000100120430
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000100120220
    .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000100120280
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000100070460
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000100070450
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000100070370
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000100070470
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 00000001000703e0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000100070320
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 00000001000703b0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000100070390
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 00000001000702e0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 00000001000702d0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000100070310
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 00000001000703c0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 00000001000703f0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000100070230
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0xffffffff8922e890}
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000100070480
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 00000001000703a0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 00000001000702f0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000100070350
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000100070290
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 00000001000702b0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 00000001000703d0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000100070330
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0xffffffff8922e590}
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000100070410
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000100070240
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 00000001000701e0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000100070250
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0xffffffff8922e090}
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000100070490
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 00000001000704a0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000100070300
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000100070360
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 00000001000702a0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 00000001000702c0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000100070380
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000100070340
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000100070440
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000100070260
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000100070270
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000100070400
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 00000001000701f0
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000100070210
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000100070200
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000100070420
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000100070430
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000100070220
    .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000100070280
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\System32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
     
  4. Seismic101

    Seismic101 Thread Starter

    Joined:
    May 7, 2015
    Messages:
    5
    Part 2 :

    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1324] C:\Windows\system32\CRYPT32.dll!PFXImportCertStore 000007fefd3a7b3c 14 bytes {JMP QWORD [RIP+0x0]}
    .text C:\Windows\system32\nvvsvc.exe[1332] C:\Windows\system32\CRYPT32.dll!PFXImportCertStore 000007fefd3a7b3c 14 bytes {JMP QWORD [RIP+0x0]}
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071d21a22 2 bytes [D2, 71]
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071d21ad0 2 bytes [D2, 71]
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071d21b08 2 bytes [D2, 71]
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071d21bba 2 bytes [D2, 71]
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071d21bda 2 bytes [D2, 71]
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075dc1465 2 bytes [DC, 75]
    .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075dc14bb 2 bytes [DC, 75]
    .text ... * 2
    .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[1816] C:\Windows\syswow64\CRYPT32.dll!PFXImportCertStore 0000000075d20ddc 5 bytes JMP 00000001020ba557

    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3052] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000761f8799 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000100070460
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000100070450
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000100070370
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000100070470
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 00000001000703e0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000100070320
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 00000001000703b0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000100070390
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 00000001000702e0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 00000001000702d0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000100070310
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 00000001000703c0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 00000001000703f0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000100070230
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0xffffffff8922e890}
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000100070480
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 00000001000703a0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 00000001000702f0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000100070350
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000100070290
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 00000001000702b0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 00000001000703d0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000100070330
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0xffffffff8922e590}
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000100070410
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000100070240
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 00000001000701e0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000100070250
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0xffffffff8922e090}
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000100070490
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 00000001000704a0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000100070300
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000100070360
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 00000001000702a0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 00000001000702c0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000100070380
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000100070340
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000100070440
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000100070260
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000100070270
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000100070400
     
  5. Seismic101

    Seismic101 Thread Starter

    Joined:
    May 7, 2015
    Messages:
    5
    PART 3:

    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 00000001000701f0
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000100070210
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000100070200
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000100070420
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000100070430
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000100070220
    .text C:\Windows\system32\SearchIndexer.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000100070280
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\wbem\wmiprvse.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\nacl64.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\Explorer.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e413c0 5 bytes JMP 0000000076fa0460
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e41410 5 bytes JMP 0000000076fa0450
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e41570 5 bytes JMP 0000000076fa0370
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e415c0 5 bytes JMP 0000000076fa0470
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e415d0 5 bytes JMP 0000000076fa03e0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e41680 5 bytes JMP 0000000076fa0320
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e416b0 5 bytes JMP 0000000076fa03b0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e416d0 5 bytes JMP 0000000076fa0390
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e41710 5 bytes JMP 0000000076fa02e0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e41790 5 bytes JMP 0000000076fa02d0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e417b0 5 bytes JMP 0000000076fa0310
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e417f0 5 bytes JMP 0000000076fa03c0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e41840 5 bytes JMP 0000000076fa03f0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e419a0 1 byte JMP 0000000076fa0230
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076e419a2 3 bytes {JMP 0x15e890}
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e41b60 5 bytes JMP 0000000076fa0480
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e41b90 5 bytes JMP 0000000076fa03a0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e41c70 5 bytes JMP 0000000076fa02f0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e41c80 5 bytes JMP 0000000076fa0350
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e41ce0 5 bytes JMP 0000000076fa0290
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e41d70 5 bytes JMP 0000000076fa02b0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e41d90 5 bytes JMP 0000000076fa03d0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e41da0 1 byte JMP 0000000076fa0330
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076e41da2 3 bytes {JMP 0x15e590}
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e41e10 5 bytes JMP 0000000076fa0410
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e41e40 5 bytes JMP 0000000076fa0240
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e42100 5 bytes JMP 0000000076fa01e0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e421c0 1 byte JMP 0000000076fa0250
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076e421c2 3 bytes {JMP 0x15e090}
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e421f0 5 bytes JMP 0000000076fa0490
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e42200 5 bytes JMP 0000000076fa04a0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e42230 5 bytes JMP 0000000076fa0300
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e42240 5 bytes JMP 0000000076fa0360
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e422a0 5 bytes JMP 0000000076fa02a0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e422f0 5 bytes JMP 0000000076fa02c0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e42320 5 bytes JMP 0000000076fa0380
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e42330 5 bytes JMP 0000000076fa0340
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e42620 5 bytes JMP 0000000076fa0440
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e42820 5 bytes JMP 0000000076fa0260
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e42830 5 bytes JMP 0000000076fa0270
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e42840 5 bytes JMP 0000000076fa0400
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e42a00 5 bytes JMP 0000000076fa01f0
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e42a10 5 bytes JMP 0000000076fa0210
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e42a80 5 bytes JMP 0000000076fa0200
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e42ae0 5 bytes JMP 0000000076fa0420
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e42af0 5 bytes JMP 0000000076fa0430
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e42b00 5 bytes JMP 0000000076fa0220
    .text C:\Windows\system32\AUDIODG.EXE[12524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e42be0 5 bytes JMP 0000000076fa0280
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007700c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077011217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075dc1465 2 bytes [DC, 75]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075dc14bb 2 bytes [DC, 75]
    .text ... * 2
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000770025fd 6 bytes JMP 0000000103ce7c1a
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007700c45a 5 bytes JMP 00000001000301f8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077011217 5 bytes JMP 00000001000303fc
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077012a63 6 bytes JMP 0000000103c8952d
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000761f103d 5 bytes JMP 00000001004292b2
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\KERNEL32.dll!CreateThread 00000000761f34a5 5 bytes JMP 0000000103c87303
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\ADVAPI32.dll!RegQueryValueExW 00000000756146ad 5 bytes JMP 000000010042a963
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000753a8a29 5 bytes JMP 0000000103ceff8f
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!SetWindowPos 00000000753a8e4e 5 bytes JMP 00000001004292eb
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000753ad22e 5 bytes JMP 0000000103c93363
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000753b0dfb 5 bytes JMP 0000000100429330
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000753b2da4 5 bytes JMP 0000000103cc9a14
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!MessageBeep 00000000753bc036 5 bytes JMP 000000010042ac9d
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000753ccbf3 5 bytes JMP 0000000103e162be
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000753ccfca 5 bytes JMP 0000000103c2170b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 00000000753cf170 5 bytes JMP 00000001004292e6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000753ecb0c 5 bytes JMP 0000000103e16259
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000753ece64 5 bytes JMP 0000000103e16323
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000753ffbd1 5 bytes JMP 0000000103e161e0
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000753ffc9d 5 bytes JMP 0000000103e16167
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000753ffcd6 5 bytes JMP 0000000103e16103
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000753ffcfa 5 bytes JMP 0000000103e1609f
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075a06143 5 bytes JMP 0000000103e16a8c
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\urlmon.dll!RevokeBindStatusCallback + 337 000000007582c1b4 44 bytes [99, C0, 40, 00, C4, C1, 40, ...]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\urlmon.dll!RevokeBindStatusCallback + 489 000000007582c24c 44 bytes [9F, C4, 40, 00, CA, C5, 40, ...]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075ef3e59 5 bytes JMP 0000000103e16b84
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075ef3eae 5 bytes JMP 0000000103e16c02
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075ef4731 5 bytes JMP 0000000103e16af6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075ef5dee 5 bytes JMP 0000000103e16ba2
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075f593ec 5 bytes JMP 0000000103e164d8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075dc1465 2 bytes [DC, 75]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075dc14bb 2 bytes [DC, 75]
    .text ... * 2
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007109388e 5 bytes JMP 0000000103e16388
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000071137922 5 bytes JMP 0000000103e16430
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[10048] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075e42694 5 bytes JMP 0000000103e166d0
    ? C:\Windows\system32\mssprxy.dll [10048] entry point in ".rdata" section 00000000733971e6

    ---- User IAT/EAT - GMER 2.1 ----

    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ntdll.dll!RtlReportException] [78f15dd0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ntdll.dll!RtlCaptureContext] [78e9f440]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ntdll.dll!RtlLookupFunctionEntry] [78e85420]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ntdll.dll!RtlVirtualUnwind] [78e67ee0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!GetWindowRect] [78c3a878]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!GetThreadDesktop] [78c3d450]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!CloseWindowStation] [78c49410]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!DialogBoxParamW] [78c402d0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!GetProcessWindowStation] [78c31de0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!OpenDesktopW] [78c304e0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!GetClientRect] [78c3a7b4]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!SetProcessWindowStation] [78c301e0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!EndDialog] [78c47680]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!GetDesktopWindow] [78c33740]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!SetWindowPos] [78c36c70]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!SetThreadDesktop] [78c301f0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!SetDlgItemTextW] [78c40490]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!OpenWindowStationW] [78c49424]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!MapWindowPoints] [78c3b230]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!LoadStringW] [78c323bc]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[USER32.dll!CloseDesktop] [78c304c0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegOpenKeyExW] [7ff7ff306f0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!GetTokenInformation] [7ff7ff2bd50]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!OpenProcessToken] [7ff7ff2bd70]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegSetValueExW] [7ff7ff21ed0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegCloseKey] [7ff7ff30710]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!ReportEventW] [7ff7ff1e000]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegisterEventSourceW] [7ff7ff236b0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegOpenKeyExA] [7ff7ff2b5f0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!DeregisterEventSource] [7ff7ff27d30]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegQueryValueExW] [7ff7ff2c2d0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\msdtc.exe[ADVAPI32.dll!RegQueryValueExA] [7ff7ff2c480]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCTM.dll[[email protected]@[email protected]@[email protected]] [7ff75df2730]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCTM.dll[[email protected]@[email protected]] [7ff75df3200]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCTM.dll[[email protected]@YAJXZ] [7ff75df17dc]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCTM.dll[MSDTCPRX.dll!CreateLegacyTmInstance] [7ff75df43e4]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCTM.dll[MSDTCPRX.dll!CreateLocalTmInstance] [7ff75df43d4]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!GetThreadDesktop] [78c3d450]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!GetWindowRect] [78c3a878]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!SetProcessWindowStation] [78c301e0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!CloseWindowStation] [78c49410]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!DialogBoxParamW] [78c402d0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!GetProcessWindowStation] [78c31de0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!OpenDesktopW] [78c304e0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!GetClientRect] [78c3a7b4]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!CloseDesktop] [78c304c0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!EndDialog] [78c47680]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!GetDesktopWindow] [78c33740]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!SetWindowPos] [78c36c70]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!SetThreadDesktop] [78c301f0]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!LoadStringW] [78c323bc]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!OpenWindowStationW] [78c49424]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!MapWindowPoints] [78c3b230]
    IAT C:\Windows\system32\msdtc.exe[12744] @ C:\Windows\system32\MSDTCPRX.dll[USER32.dll!SetDlgItemTextW] [78c40490]

    ---- Threads - GMER 2.1 ----

    Thread C:\Windows\Explorer.exe [5416:4524] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:3448] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:3240] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:2384] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:4492] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:5868] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:5764] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:3256] 00000000047030b0
    Thread C:\Windows\Explorer.exe [5416:4776] 00000000047030b0
    Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [10048:11460] 000000000042ae96
    ---- Processes - GMER 2.1 ----

    Process C:\ASUS.SYS\config\DVMExportService.exe (*** suspicious ***) @ C:\ASUS.SYS\config\DVMExportService.exe [2160] (Windows Metadata Export Service/DeviceVM, Inc.)(2009-10-16 10:42:48) 0000000000400000
    Library C:\Users\Seismic\AppData\Roaming\lection\gendaqof.dll (*** suspicious ***) @ C:\Windows\Explorer.exe [5416](2015-03-30 16:32:04) 000007fef5100000
    Library C:\Users\Seismic\AppData\Roaming\lection\subcalal.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [10048](2015-03-30 16:31:38) 0000000073360000

    ---- Files - GMER 2.1 ----

    File C:\Users\Seismic\AppData\Local\Temp\~DF409D35E180C101A4.TMP 0 bytes
    File C:\Users\Seismic\AppData\Local\Temp\~DFFCFF4B477481A5D8.TMP 0 bytes

    ---- EOF - GMER 2.1 ----
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Serious Issues (Malware)
  1. FusionTecg
    Replies:
    15
    Views:
    1,345
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1147891

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice