www.MegaLab.it

[Amantide]

Si, è possibile. Fai un altra scansione con VirIt, a volte con la seconda scansione trova cio che non trova durante la prima.

[aris73]

ho fatto la scansione con virIT ed ha eliminato un'infezione e poi finalmente mi è partito Prevx e qualcosa sembra sia cambiato...ma con myuninstaller non trovo nessuna voce che dovrei trovare secondo la guida...è possibile che il pc sia "guarito"?

si... ma per stare più tranquilla ti consiglierei l'utilizzo del tool symantec che rimuove più cose, la seconda scnsione con virit come ti é già stato suggerito....e una scansione con avg antispyware aggiornato da provvisoria...

[fasa7367]

aris73
dove trovo i tool simantec?...ora non mi compare più"x ora" l'avviso di norton che mi dice di essre infetto con L O..e mi si sono sistemate alcune cose che prima erano in tilt...
dopo la scansione convirIT mi trovo con 2 file infetti che non so come eliminarli e cioè.
C:\PROGRAMMI\INTERNET EXPLORER\PLUGINS\Pano viewer.dll
C:\PROGRAMMI\Ulead Systems\ulead COOL360\Pano Viewer.dll
con la dicitura"variante Trojan Win32.ZLOB.E

per eliminarli lo devo fare manualmente andando direttamente nelle cartelle? grazie grazie grazie...

[Amantide]

http://securityresponse.symantec.com/av ... inkopt.exe

Scarica anche CCleaner e pulisci i file temporanei.

Per eliminare altro trojan invece, scarica A-Squared e fai la scansione completa.

[zacisi]

zacisi

Lancia Hijackthis clic su "oper the misc tools section clic su"delete file on reboot e immetti:C:\WINDOWS\Temp\qhom1.exe
poi fixa:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [qhom1.exe] C:\WINDOWS\Temp\qhom1.ex
riavvia ed esegui
tool Symantec http://www.mytempdir.com/1010789 file rinominato e zippato Fix.zip
il tool deve essere usato come amministratore dalla modalità provvisoria. Per entrare in modalità provvisoria premere F8 al boot.

tool Prevx http://www.mytempdir.com/1012500 il tool può essere usato anche dalla modalità normale. Se non dovesse funzionare, riprovare dalla modalità provvisoria premendo F8 al boot.

idolo ora sembra andare speriamo

[fasa7367]

prima sembrava tutto apposto..poi dopo il controllo tool simantec(che non ha trovato tracce di L O) mi è ricomparso l'avviso di norton di infezione L O...ora sto scaricando i programmi che mi avete consigliato.speriamo bene,ora però riesco a collegarmi anche all'enciclopedia online dei virus di simantec che prima non riuscivo ad aprire.....
un'altra cosa....sapete qualcosa su un aggiornamento windows per rimozione malware ott.206 KB890830
è da un po che mi compare lo scudo giallo con l'aggiornamento di 0kb che ricompare un scco di volte.che abbia a che fare con L O ? oggi è riapparso ma stranamente ha 700kb...

[aris73]

prima sembrava tutto apposto..poi dopo il controllo tool simantec(che non ha trovato tracce di L O) mi è ricomparso l'avviso di norton di infezione L O...ora sto scaricando i programmi che mi avete consigliato.speriamo bene,ora però riesco a collegarmi anche all'enciclopedia online dei virus di simantec che prima non riuscivo ad aprire.....
un'altra cosa....sapete qualcosa su un aggiornamento windows per rimozione malware ott.206 KB890830
è da un po che mi compare lo scudo giallo con l'aggiornamento di 0kb che ricompare un scco di volte.che abbia a che fare con L O ? oggi è riapparso ma stranamente ha 700kb...

cavolo....é successo anche a un mio cliente a cui io avevo disabilitato gli aggiornamenti automatici e s'é ritrovato questo aggiornamento... controlla se t'ha disattivato anche il ripristino di configurazione di sistema.? su questa cosa ancora non sò granché ma direi che dovresti affrettarti a fare tutte le scansioni...

[fasa7367]

ho fatto tutti gli scan del pc in modalità provvisoria ed ho eliminato vari virus ma quando ritorno in modalità normale mi si ripresenta sempre l'avviso di norton che rileva l'intrusione di L O...è normale che sia così? o c'è ancora qualcosa in giro?uffa...che ......sto trojan...grazie a tutti....

[aris73]

fasa

rifai una scansione con virit aggiornato e da provvisoria e mi dici cosa ti trova..

[fasa7367]

@aris73@
ho fatto come mi hai detto e virIt mi ha dato questo pesponso:
C:\WINDOWS\system32\nul.ugt infetto da Trojan.Win32.rootkit.L
RIMOSSO
spero sia proprio vero...e stavolta non mi è apparso il messaggio solito di Norton..
però ogni volta che faccio ripartire mi compare la finestra "utilità configurazione di sistema"ho dimenticato qualche passaggio? e...devo controllare qualcosaltro per essere sicuro che non ci sia più alcuna traccia di L O?..

[walli]

Lunedì 30 Ottobre 2006 ore 17:00 (circa) comincia la lunga battaglia.

Dopo avere scaricato la mattina da un pc pulito tutto ciò che mi serviva, e fidandomi, per il momento, solo del fatto che con virit si sbloccano tutti i programmi ho cominciato proprio da quello. Subito dopo , sono venuto a scrivere qui senza fare nient'altro (non ho avuto il coraggio a dire il vero) per il momento. La scansione é stata fatta da modalità normale, ed ecco il log:


VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
30/10/2006 - 17:15:06

[SCANSIONE DEL REGISTRO]
{DA39029C-D291-A968-3FF4-D0990D5CB5FC} Infetto da BHO.LinkOptimizer.B
{DA39029C-D291-A968-3FF4-D0990D5CB5FC} Infetto da BHO.LinkOptimizer.D
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\!KillBox\service32.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\Documents and Settings\Walter&Stefano\Impostazioni locali\Temp\m Infetto da BHO.Agent.BM
* * * RIMOSSO * * *
C:\WINDOWS\12443118104.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\12518810697.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\160190239224.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\163126122171.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\17216522436.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\1782439643.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\180224255123.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\22611918733.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\2321614943.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\53168234243.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\99118249235.exe Infetto da Trojan.Win32.Small.NE
* * * RIMOSSO * * *
C:\WINDOWS\system32:kgaa.dll:$DATA Infetto da Trojan.Win32.Small.MQ
* * * RIMOSSO * * *
C:\WINDOWS\system32\kgaa.dll Infetto da BHO.Agent.BM
* * * RIMOSSO * * *

Chiavi Registro infette: 3.
Files Infetti: 15.
Files Sospetti: 0.
Files Analizzati: 24892.
Files Totali: 24892.
Chiavi Registro rimosse: 1.
Virus Rimossi: 15.

Non ho avuto il coraggio di provare nient'altro, come ad esempio provare ad aprire HijackThis. Avete suggerimenti sulle prossime mosse da seguire?

[Amantide]

Rifai la scansione con VirIt, ma questa volta dalla modalità provvisoria, ho un presentimento che non ha eliminato tutto
Fai anche la scansione con i tool di rimozione della Prevx e della Symantec.

[walli]

ho un presentimento che non ha eliminato tutto

Se avesse già eliminato tutto sarebbe troppo semplice, ci potrei rimanere un po' male

[fasa7367]

io con i consigli di Amantide e di Aris73 sono riuscito ad eliminare quel bastardone di un Trojan e per ora mi sembra tutto ok sul pc...l'ultima cosa che ho fatto è fare una scansione con virIT in modalità provvisoria e mi ha eliminato LO...ma devo fare qualcos'altro per essere sicuro di avere tolto tutto?

[Amantide]

Le scansioni con virit hai fatto, con i tools di rimozione anche... ho visto che non avevi mai postato il log della scansione con Hijackthis. Postalo e vediamo se c'è ancora qualcosa.
Un altra cosa da fare è cambiare assolutamente l'antivirus, metti Kaspersky (a pagamento) od Avast (gratis). Puoi anche installare A-squared o AVG Antispyware e fare la scansione, per vedere se ti trovano qualche altro residuo di qualche schifezza.

[aris73]

Un altra cosa da fare è cambiare assolutamente l'antivirus, metti Kaspersky (a pagamento) od Avast (gratis). Puoi anche installare A-squared o AVG Antispyware e fare la scansione, per vedere se ti trovano qualche altro residuo di qualche schifezza.

Ci sarebbe Active Virus Shield... che ha lo stesso database di Karspersky, nonché tutte le funzioni compreso il mail-scan in real time ed é free...unica cosa non installare la barra di AOL durante il setup.

[aris73]

@aris73@
ho fatto come mi hai detto e virIt mi ha dato questo pesponso:
C:\WINDOWS\system32\nul.ugt infetto da Trojan.Win32.rootkit.L
RIMOSSO
spero sia proprio vero...e stavolta non mi è apparso il messaggio solito di Norton..
però ogni volta che faccio ripartire mi compare la finestra "utilità configurazione di sistema"ho dimenticato qualche passaggio? e...devo controllare qualcosaltro per essere sicuro che non ci sia più alcuna traccia di L O?..

puoi farmi uno screen shot, così verifico se é quello che penso, ma ti anticipo che non penso sia nulla di rilevante.

[Paolouser]

Prima di tutto complimenti per il lavoro che svolgete in secondo luogo aiuto!! ho ConnectionServices
Ho seguito attentamente la guida ed ora mi devo rivolgere ad un esperto(data la mia palese incapacità a decifrare questi dati:
autostart:
ER 1.0.12.11867 - http://www.gmer.net
Autostart scan 2006-11-02 18:04:45
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
Windows@AppInit_DLLs = \\?\C:\WINDOWS\System32\com4.iba

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Crypkey License /*Crypkey License*/@ = crypserv.exe
NetGwa /*NetGwa*/@ = "C:\Programmi\File comuni\System\odN.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@kX MixerC:\WINDOWS\System32\kxmixer.exe --startup = C:\WINDOWS\System32\kxmixer.exe --startup
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Jet DetectionC:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe = C:\Programmi\Creative\SBAudigy\PROGRAM\ADGJDet.exe
@System Mechanic Popup Stopper"C:\Programmi\iolo\System Mechanic 4\PopupStopper.exe" /*file not found*/ = "C:\Programmi\iolo\System Mechanic 4\PopupStopper.exe" /*file not found*/
@msnmsgr"C:\Programmi\MSN Messenger\msnmsgr.exe" /background = "C:\Programmi\MSN Messenger\msnmsgr.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshell.dll = C:\Programmi\Real\RealOne Player\rpshell.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/(null) =
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll = c:\programmi\google\googletoolbar2.dll

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

---- EOF - GMER 1.0.12 ----

rootkit:

GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-02 18:07:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey

Code 809852DE IoReadTransferCount

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86FC8C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86FC8C78

---- EOF - GMER 1.0.12 ----


grazie!

[Paolouser]

allego anche un rootkit fatto con lo scan
GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-02 18:33:56
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 240 804E274C 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 360 804E27C4 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 368 804E27CC 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 552 804E2884 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 716 804E2928 4 Bytes
.text ...
.text ntdll.dll!NtClose 7C91D586 5 Bytes JMP 7203355A
.text ntdll.dll!NtCreateProcess 7C91D754 5 Bytes JMP 720336E5
.text ntdll.dll!NtCreateProcessEx 7C91D769 5 Bytes JMP 720335C9
.text ntdll.dll!NtCreateSection 7C91D793 5 Bytes JMP 72033578
.text ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FreeLibrary + 2 7C80ABE0 7 Bytes JMP 3EE89430
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetProcAddress + 2 7C80ADA2 5 Bytes JMP 3EE88CEB
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryW + 2 7C80AE4D 5 Bytes JMP 3EE88AAE
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetFileAttributesW + 2 7C80B74E 6 Bytes JMP 3EE8F4A7
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FreeLibraryAndExitThread + 2 7C80C172 6 Bytes JMP 3EE88C1E
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FindFirstFileExW + 2 7C80EA7F 9 Bytes JMP 3EE8EF72
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FindFirstFileW + 2 7C80EEE3 5 Bytes JMP 3EE8F148
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 3EE8E15E
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateFileW + 2 7C810762 6 Bytes JMP 3EE8C788
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetFileAttributesExW + 2 7C8110F7 6 Bytes JMP 3EE8DDD7
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetFileAttributesA + 2 7C81153E 6 Bytes JMP 3EE8EB6D
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!SetFileAttributesA + 2 7C812784 6 Bytes JMP 3EE8D522
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetFileAttributesExA + 2 7C8137B3 6 Bytes JMP 3EE8F856
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FindFirstFileA + 2 7C8137DB 9 Bytes JMP 3EE8F819
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!ExitProcess + 2 7C81CDDC 5 Bytes JMP 3EE881E8
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 3EE8BFD9
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 3EE8BEDF
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!OpenProcess + 2 7C8309E3 6 Bytes JMP 3EE8B816
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!SetFileAttributesW + 2 7C8314D7 6 Bytes JMP 3EE8F879
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!DeleteFileA + 2 7C831EAD 6 Bytes JMP 3EE8D6CC
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!DeleteFileW + 2 7C831F33 6 Bytes JMP 3EE8EC8B
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FindNextFileA + 2 7C834EB3 9 Bytes JMP 3EE89D1C
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!MoveFileExW + 2 7C83565D 6 Bytes JMP 3EE8DC00
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!MoveFileWithProgressA + 2 7C835EB0 6 Bytes JMP 3EE8B424
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!FindFirstFileExA + 2 7C85C514 9 Bytes JMP 3EE8EBA3
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!MoveFileExA + 2 7C85D4C5 6 Bytes JMP 3EE8DAAC
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!_lopen + 2 7C85E832 6 Bytes JMP 3EE8D03C
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!WinExec + 2 7C86136F 6 Bytes JMP 3EE8955F
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Process32FirstW + 2 7C863D66 6 Bytes JMP 3EE8F958
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Process32First + 2 7C863E1F 9 Bytes JMP 3EE8A114
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Process32NextW + 2 7C863EF1 6 Bytes JMP 3EE8B40E
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Process32Next + 2 7C863F92 9 Bytes JMP 3EE8E598
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Thread32First + 2 7C864064 6 Bytes JMP 3EE8D8D7
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Thread32Next + 2 7C864118 6 Bytes JMP 3EE8AF57
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Module32FirstW + 2 7C8641B1 6 Bytes JMP 3EE8C17E
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Module32First + 2 7C86426A 9 Bytes JMP 3EE8F2C5
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Module32NextW + 2 7C86434E 6 Bytes JMP 3EE8DDAD
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!Module32Next + 2 7C8643EF 9 Bytes JMP 3EE8B2AB
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetBinaryTypeW 7C867BCC 5 Bytes JMP 3EE8EC64
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetBinaryType + 2 7C86802D 6 Bytes JMP 3EE8BDA1
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!ExitWindowsEx + 2 77D59E2F 6 Bytes JMP 3EE8848C
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\WINDOWS\system32\wdfmgr.exe[492] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FreeLibrary + 2 7C80ABE0 7 Bytes JMP 3EE89430
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetProcAddress + 2 7C80ADA2 5 Bytes JMP 3EE88CEB
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!LoadLibraryW + 2 7C80AE4D 5 Bytes JMP 3EE88AAE
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetFileAttributesW + 2 7C80B74E 6 Bytes JMP 3EE8F4A7
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FreeLibraryAndExitThread + 2 7C80C172 6 Bytes JMP 3EE88C1E
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FindFirstFileExW + 2 7C80EA7F 9 Bytes JMP 3EE8EF72
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FindFirstFileW + 2 7C80EEE3 5 Bytes JMP 3EE8F148
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 3EE8E15E
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!CreateFileW + 2 7C810762 6 Bytes JMP 3EE8C788
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetFileAttributesExW + 2 7C8110F7 6 Bytes JMP 3EE8DDD7
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetFileAttributesA + 2 7C81153E 6 Bytes JMP 3EE8EB6D
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!SetFileAttributesA + 2 7C812784 6 Bytes JMP 3EE8D522
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetFileAttributesExA + 2 7C8137B3 6 Bytes JMP 3EE8F856
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FindFirstFileA + 2 7C8137DB 9 Bytes JMP 3EE8F819
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!ExitProcess + 2 7C81CDDC 5 Bytes JMP 3EE881E8
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 3EE8BFD9
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 3EE8BEDF
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!OpenProcess + 2 7C8309E3 6 Bytes JMP 3EE8B816
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!SetFileAttributesW + 2 7C8314D7 6 Bytes JMP 3EE8F879
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!DeleteFileA + 2 7C831EAD 6 Bytes JMP 3EE8D6CC
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!DeleteFileW + 2 7C831F33 6 Bytes JMP 3EE8EC8B
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FindNextFileA + 2 7C834EB3 9 Bytes JMP 3EE89D1C
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!MoveFileExW + 2 7C83565D 6 Bytes JMP 3EE8DC00
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!MoveFileWithProgressA + 2 7C835EB0 6 Bytes JMP 3EE8B424
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!FindFirstFileExA + 2 7C85C514 9 Bytes JMP 3EE8EBA3
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!MoveFileExA + 2 7C85D4C5 6 Bytes JMP 3EE8DAAC
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!_lopen + 2 7C85E832 6 Bytes JMP 3EE8D03C
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!WinExec + 2 7C86136F 6 Bytes JMP 3EE8955F
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Process32FirstW + 2 7C863D66 6 Bytes JMP 3EE8F958
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Process32First + 2 7C863E1F 9 Bytes JMP 3EE8A114
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Process32NextW + 2 7C863EF1 6 Bytes JMP 3EE8B40E
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Process32Next + 2 7C863F92 9 Bytes JMP 3EE8E598
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Thread32First + 2 7C864064 6 Bytes JMP 3EE8D8D7
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Thread32Next + 2 7C864118 6 Bytes JMP 3EE8AF57
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Module32FirstW + 2 7C8641B1 6 Bytes JMP 3EE8C17E
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Module32First + 2 7C86426A 9 Bytes JMP 3EE8F2C5
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Module32NextW + 2 7C86434E 6 Bytes JMP 3EE8DDAD
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!Module32Next + 2 7C8643EF 9 Bytes JMP 3EE8B2AB
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetBinaryTypeW 7C867BCC 5 Bytes JMP 3EE8EC64
.text C:\WINDOWS\system32\wdfmgr.exe[492] kernel32.dll!GetBinaryType + 2 7C86802D 6 Bytes JMP 3EE8BDA1
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text C:\WINDOWS\system32\wdfmgr.exe[492] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text C:\WINDOWS\system32\wdfmgr.exe[492] USER32.dll!ExitWindowsEx + 2 77D59E2F 6 Bytes JMP 3EE8848C
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FreeLibrary + 2 7C80ABE0 7 Bytes JMP 3EE89430
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetProcAddress + 2 7C80ADA2 5 Bytes JMP 3EE88CEB
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!LoadLibraryW + 2 7C80AE4D 5 Bytes JMP 3EE88AAE
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetFileAttributesW + 2 7C80B74E 6 Bytes JMP 3EE8F4A7
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FreeLibraryAndExitThread + 2 7C80C172 6 Bytes JMP 3EE88C1E
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FindFirstFileExW + 2 7C80EA7F 9 Bytes JMP 3EE8EF72
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FindFirstFileW + 2 7C80EEE3 5 Bytes JMP 3EE8F148
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 3EE8E15E
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!CreateFileW + 2 7C810762 6 Bytes JMP 3EE8C788
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetFileAttributesExW + 2 7C8110F7 6 Bytes JMP 3EE8DDD7
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetFileAttributesA + 2 7C81153E 6 Bytes JMP 3EE8EB6D
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!SetFileAttributesA + 2 7C812784 6 Bytes JMP 3EE8D522
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetFileAttributesExA + 2 7C8137B3 6 Bytes JMP 3EE8F856
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FindFirstFileA + 2 7C8137DB 9 Bytes JMP 3EE8F819
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!ExitProcess + 2 7C81CDDC 5 Bytes JMP 3EE881E8
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 3EE8BFD9
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 3EE8BEDF
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!OpenProcess + 2 7C8309E3 6 Bytes JMP 3EE8B816
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!SetFileAttributesW + 2 7C8314D7 6 Bytes JMP 3EE8F879
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!DeleteFileA + 2 7C831EAD 6 Bytes JMP 3EE8D6CC
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!DeleteFileW + 2 7C831F33 6 Bytes JMP 3EE8EC8B
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FindNextFileA + 2 7C834EB3 9 Bytes JMP 3EE89D1C
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!MoveFileExW + 2 7C83565D 6 Bytes JMP 3EE8DC00
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!MoveFileWithProgressA + 2 7C835EB0 6 Bytes JMP 3EE8B424
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!FindFirstFileExA + 2 7C85C514 9 Bytes JMP 3EE8EBA3
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!MoveFileExA + 2 7C85D4C5 6 Bytes JMP 3EE8DAAC
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!_lopen + 2 7C85E832 6 Bytes JMP 3EE8D03C
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!WinExec + 2 7C86136F 6 Bytes JMP 3EE8955F
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Process32FirstW + 2 7C863D66 6 Bytes JMP 3EE8F958
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Process32First + 2 7C863E1F 9 Bytes JMP 3EE8A114
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Process32NextW + 2 7C863EF1 6 Bytes JMP 3EE8B40E
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Process32Next + 2 7C863F92 9 Bytes JMP 3EE8E598
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Thread32First + 2 7C864064 6 Bytes JMP 3EE8D8D7
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Thread32Next + 2 7C864118 6 Bytes JMP 3EE8AF57
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Module32FirstW + 2 7C8641B1 6 Bytes JMP 3EE8C17E
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Module32First + 2 7C86426A 9 Bytes JMP 3EE8F2C5
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Module32NextW + 2 7C86434E 6 Bytes JMP 3EE8DDAD
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!Module32Next + 2 7C8643EF 9 Bytes JMP 3EE8B2AB
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetBinaryTypeW 7C867BCC 5 Bytes JMP 3EE8EC64
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] kernel32.dll!GetBinaryType + 2 7C86802D 6 Bytes JMP 3EE8BDA1
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text G:\Temp\Rar$EX00.754\myuninst.exe[584] USER32.dll!ExitWindowsEx + 2 77D59E2F 6 Bytes JMP 3EE8848C
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FreeLibrary + 2 7C80ABE0 7 Bytes JMP 3EE89430
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetProcAddress + 2 7C80ADA2 5 Bytes JMP 3EE88CEB
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!LoadLibraryW + 2 7C80AE4D 5 Bytes JMP 3EE88AAE
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetFileAttributesW + 2 7C80B74E 6 Bytes JMP 3EE8F4A7
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FreeLibraryAndExitThread + 2 7C80C172 6 Bytes JMP 3EE88C1E
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FindFirstFileExW + 2 7C80EA7F 9 Bytes JMP 3EE8EF72
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FindFirstFileW + 2 7C80EEE3 5 Bytes JMP 3EE8F148
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 3EE8E15E
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateFileW + 2 7C810762 6 Bytes JMP 3EE8C788
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetFileAttributesExW + 2 7C8110F7 6 Bytes JMP 3EE8DDD7
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetFileAttributesA + 2 7C81153E 6 Bytes JMP 3EE8EB6D
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!SetFileAttributesA + 2 7C812784 6 Bytes JMP 3EE8D522
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetFileAttributesExA + 2 7C8137B3 6 Bytes JMP 3EE8F856
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FindFirstFileA + 2 7C8137DB 9 Bytes JMP 3EE8F819
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!ExitProcess + 2 7C81CDDC 5 Bytes JMP 3EE881E8
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 3EE8BFD9
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 3EE8BEDF
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!OpenProcess + 2 7C8309E3 6 Bytes JMP 3EE8B816
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!SetFileAttributesW + 2 7C8314D7 6 Bytes JMP 3EE8F879
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!DeleteFileA + 2 7C831EAD 6 Bytes JMP 3EE8D6CC
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!DeleteFileW + 2 7C831F33 6 Bytes JMP 3EE8EC8B
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FindNextFileA + 2 7C834EB3 9 Bytes JMP 3EE89D1C
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!MoveFileExW + 2 7C83565D 6 Bytes JMP 3EE8DC00
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!MoveFileWithProgressA + 2 7C835EB0 6 Bytes JMP 3EE8B424
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!FindFirstFileExA + 2 7C85C514 9 Bytes JMP 3EE8EBA3
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!MoveFileExA + 2 7C85D4C5 6 Bytes JMP 3EE8DAAC
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!_lopen + 2 7C85E832 6 Bytes JMP 3EE8D03C
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!WinExec + 2 7C86136F 6 Bytes JMP 3EE8955F
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Process32FirstW + 2 7C863D66 6 Bytes JMP 3EE8F958
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Process32First + 2 7C863E1F 9 Bytes JMP 3EE8A114
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Process32NextW + 2 7C863EF1 6 Bytes JMP 3EE8B40E
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Process32Next + 2 7C863F92 9 Bytes JMP 3EE8E598
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Thread32First + 2 7C864064 6 Bytes JMP 3EE8D8D7
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Thread32Next + 2 7C864118 6 Bytes JMP 3EE8AF57
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Module32FirstW + 2 7C8641B1 6 Bytes JMP 3EE8C17E
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Module32First + 2 7C86426A 9 Bytes JMP 3EE8F2C5
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Module32NextW + 2 7C86434E 6 Bytes JMP 3EE8DDAD
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!Module32Next + 2 7C8643EF 9 Bytes JMP 3EE8B2AB
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetBinaryTypeW 7C867BCC 5 Bytes JMP 3EE8EC64
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!GetBinaryType + 2 7C86802D 6 Bytes JMP 3EE8BDA1
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text C:\WINDOWS\system32\winlogon.exe[612] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!ExitWindowsEx + 2 77D59E2F 6 Bytes JMP 3EE8848C
.text C:\WINDOWS\system32\winlogon.exe[612] PSAPI.DLL!EnumProcessModules 76BB1F1C 5 Bytes JMP 3EE8E944
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 3EE8999A
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 3EE89966
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 13 Bytes
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\WINDOWS\system32\services.exe[664] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!FreeLibrary + 2 7C80ABE0 7 Bytes JMP 3EE89430
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!GetProcAddress + 2 7C80ADA2 5 Bytes JMP 3EE88CEB
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!LoadLibraryW + 2 7C80AE4D 5 Bytes JMP 3EE88AAE
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!GetFileAttributesW + 2 7C80B74E 6 Bytes JMP 3EE8F4A7
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!FreeLibraryAndExitThread + 2 7C80C172 6 Bytes JMP 3EE88C1E
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!FindFirstFileExW + 2 7C80EA7F 9 Bytes JMP 3EE8EF72
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!FindFirstFileW + 2 7C80EEE3 5 Bytes JMP 3EE8F148
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!FindNextFileW 7C80EF3A 7 Bytes JMP 3EE8E15E
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!CreateFileW + 2 7C810762 6 Bytes JMP 3EE8C788
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!GetFileAttributesExW + 2 7C8110F7 6 Bytes JMP 3EE8DDD7
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!GetFileAttributesA + 2 7C81153E 6 Bytes JMP 3EE8EB6D
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!SetFileAttributesA + 2 7C812784 6 Bytes JMP 3EE8D522
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!GetFileAttributesExA + 2 7C8137B3 6 Bytes JMP 3EE8F856
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!FindFirstFileA + 2 7C8137DB 9 Bytes JMP 3EE8F819
.text C:\WINDOWS\system32\services.exe[664] kernel32.dll!ExitProcess + 2 7C81CDDC 5 Bytes JMP 3EE881E8
.text C:\WINDOWS\system32\services.exe[664] ker

[Paolouser]

è grave dottore?