GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-01 18:57:21 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.1AA0 698,64GB Running: 78kdx7t1.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\axtiykob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010020091c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100200048 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002002ee .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002004b2 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002009fe .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100200ae0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010020012a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100200758 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100200676 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002003d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100200594 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010020083a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010020020c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100200f52 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab0a9d1} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100200ca6 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100200e6e .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[852] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 00000001002904bc .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010028091c .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100280048 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002802ee .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002804b2 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002809fe .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100280ae0 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010028012a .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100280758 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100280676 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002803d0 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100280594 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010028083a .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010028020c .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100280f52 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 00000001002a0210 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 00000001002a0048 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab1a9d1} .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100280ca6 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002a03d8 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 00000001002a012c .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002a02f4 .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100280e6e .text C:\Windows\system32\crypserv.exe[1612] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 00000001002a059e .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab0a9d1} .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[1648] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 00000001002904bc .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010029059e .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab0a9d1} .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075741465 2 bytes [74, 75] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757414bb 2 bytes [74, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010027091c .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100270048 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002702ee .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002704b2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002709fe .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100270ae0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010027012a .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100270758 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100270676 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002703d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100270594 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010027083a .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010027020c .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010028059e .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100270f52 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100280210 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100280048 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8aafa9d1} .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100270ca6 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002803d8 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010028012c .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002802f4 .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100270e6e .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000730f1a22 2 bytes [0F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000730f1ad0 2 bytes [0F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000730f1b08 2 bytes [0F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000730f1bba 2 bytes [0F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1968] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000730f1bda 2 bytes [0F, 73] .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010027091c .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100270048 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002702ee .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002704b2 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002709fe .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100270ae0 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010027012a .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100270758 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100270676 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002703d0 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100270594 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010027083a .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010027020c .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100270f52 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100280210 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100280048 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8aafa9d1} .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100270ca6 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002803d8 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010028012c .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002802f4 .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100270e6e .text C:\Program Files (x86)\PowerSoft\PowersoftService.exe[2032] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010028059e .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010042091c .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100420048 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001004202ee .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001004204b2 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001004209fe .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100420ae0 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010042012a .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100420758 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100420676 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001004203d0 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100420594 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010042083a .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010042020c .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 00000001004304bc .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100420f52 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100430210 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100430048 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8acaa9d1} .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100420ca6 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001004303d8 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010043012c .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001004302f4 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[1220] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100420e6e .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010047091c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100470048 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001004702ee .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001004704b2 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001004709fe .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100470ae0 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010047012a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100470758 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100470676 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001004703d0 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100470594 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010047083a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010047020c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010048059e .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100470f52 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100480210 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100480048 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8acfa9d1} .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100470ca6 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001004803d8 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010048012c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001004802f4 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2152] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100470e6e .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab0a9d1} .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 0000000100290762 .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69 0000000075a948c9 7 bytes JMP 000000010029059e .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075741465 2 bytes [74, 75] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757414bb 2 bytes [74, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010024091c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100240048 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002402ee .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002404b2 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002409fe .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100240ae0 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010024012a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100240758 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100240676 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002403d0 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100240594 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010024083a .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010024020c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010031059e .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100240f52 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100310210 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100310048 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab8a9d1} .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100240ca6 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001003103d8 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010031012c .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001003102f4 .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[384] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100240e6e .text C:\Windows\SysWOW64\rundll32.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile 0000000077a7f89c 5 bytes JMP 00000001000b0004 .text C:\Windows\SysWOW64\rundll32.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075741465 2 bytes [74, 75] .text C:\Windows\SysWOW64\rundll32.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757414bb 2 bytes [74, 75] .text ... * 2 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010027091c .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100270048 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002702ee .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002704b2 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002709fe .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100270ae0 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010027012a .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100270758 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100270676 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002703d0 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100270594 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010027083a .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010027020c .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010028059e .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100270f52 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100280210 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100280048 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8aafa9d1} .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100270ca6 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002803d8 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010028012c .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002802f4 .text C:\Program Files (x86)\PowerSoft\personal.exe[3396] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100270e6e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010027091c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100270048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002702ee .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002704b2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002709fe .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100270ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010027012a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100270758 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100270676 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002703d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100270594 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010027083a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010027020c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100270f52 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 00000001003f0210 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 00000001003f0048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ac6a9d1} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100270ca6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001003f03d8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 00000001003f012c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001003f02f4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100270e6e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 00000001003f0762 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3412] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69 0000000075a948c9 7 bytes JMP 00000001003f059e .text C:\Windows\SysWOW64\rundll32.exe[2712] C:\Windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile 0000000077a7f89c 5 bytes JMP 00000001001e0004 .text C:\Windows\SysWOW64\rundll32.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075741465 2 bytes [74, 75] .text C:\Windows\SysWOW64\rundll32.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757414bb 2 bytes [74, 75] .text ... * 2 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010010091c .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100100048 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001001002ee .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001001004b2 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001001009fe .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100100ae0 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010010012a .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100100758 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100100676 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001001003d0 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100100594 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010010083a .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010010020c .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100100f52 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100110210 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100110048 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8a98a9d1} .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100100ca6 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001001103d8 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010011012c .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001001102f4 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100100e6e .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 0000000100110762 .text C:\Users\Public\AppData\eMuleMorphXT\conime.exe[4792] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69 0000000075a948c9 7 bytes JMP 000000010011059e .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010028091c .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100280048 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002802ee .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002804b2 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002809fe .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100280ae0 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010028012a .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100280758 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100280676 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002803d0 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100280594 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010028083a .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010028020c .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\syswow64\user32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 000000010029059e .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\syswow64\ADVAPI32.dll!RegCreateKeyExA 0000000077311b71 5 bytes JMP 0000000100370004 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA 000000007731bc0d 5 bytes JMP 0000000100380004 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100280f52 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100290210 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100290048 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab0a9d1} .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100280ca6 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001002903d8 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010029012c .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001002902f4 .text C:\Users\Public\AppData\Aobj\ctfldr.exe[4776] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100280e6e .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a7fc40 5 bytes JMP 000000010028091c .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077a7fda4 5 bytes JMP 0000000100280048 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077a7fe38 5 bytes JMP 00000001002802ee .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a7ff94 5 bytes JMP 00000001002804b2 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a7ffc8 5 bytes JMP 00000001002809fe .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a7fff8 5 bytes JMP 0000000100280ae0 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a80014 2 bytes JMP 000000010002004c .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077a80017 2 bytes [5A, 88] .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077a8072c 5 bytes JMP 000000010028012a .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a8081c 5 bytes JMP 0000000100280758 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a80834 5 bytes JMP 0000000100280676 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a80d84 5 bytes JMP 00000001002803d0 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a818b0 5 bytes JMP 0000000100280594 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a81b74 5 bytes JMP 000000010028083a .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077a81d00 5 bytes JMP 000000010028020c .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007578524f 7 bytes JMP 0000000100280f52 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000757853d0 7 bytes JMP 0000000100310210 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075785677 1 byte JMP 0000000100310048 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075785679 5 bytes {JMP 0xffffffff8ab8a9d1} .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007578589a 7 bytes JMP 0000000100280ca6 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075785a1d 7 bytes JMP 00000001003103d8 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075785c9b 7 bytes JMP 000000010031012c .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075785d87 7 bytes JMP 00000001003102f4 .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075787240 7 bytes JMP 0000000100280e6e .text C:\GRUPA DOM\GAMER\78kdx7t1.exe[3020] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000774a15ea 7 bytes JMP 00000001003104bc ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe [1340:1252] 0000000000020060 Thread C:\Program Files (x86)\PowerSoft\personal.exe [3396:3408] 0000000000020060 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----