GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-11 23:24:04 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HDP725050GLA360 rev.GM4OA52A Running: ymisiqls.exe; Driver: C:\Users\BORYSA~1\AppData\Local\Temp\kxldapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8ED919CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8ED93EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8ED93F04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8ED9401A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8ED93E02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8ED93F54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8ED93E56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8ED93FC8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8ED919EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8ED917B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8ED91A12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8ED94412] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8ED924AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8ED93EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8ED93F2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8ED94044] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8ED93E2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8ED93F94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8ED93E84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8ED93FF2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8ED92370] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8ED91A36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8ED91A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8ED91812] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8ED9194E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8ED9192A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8ED91972] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8ED91A7E] INT 0x51 ? 86C9CF00 INT 0x62 ? 86C9CF00 INT 0x72 ? 86C9CF00 INT 0x82 ? 8691DBF8 INT 0x92 ? 8691DBF8 INT 0xA2 ? 8691DBF8 INT 0xA2 ? 8691DBF8 INT 0xA2 ? 86C9CF00 INT 0xA2 ? 8691DBF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8F5C28DE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 838E1890 4 Bytes [CA, 19, D9, 8E] .text ntkrnlpa.exe!KeSetEvent + 1D1 838E1954 8 Bytes [AC, 3E, D9, 8E, 04, 3F, D9, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 838E1960 4 Bytes [1A, 40, D9, 8E] .text ntkrnlpa.exe!KeSetEvent + 1F5 838E1978 4 Bytes [02, 3E, D9, 8E] .text ntkrnlpa.exe!KeSetEvent + 215 838E1998 8 Bytes [54, 3F, D9, 8E, 56, 3E, D9, ...] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83A0C62F 5 Bytes JMP 8F5BE29E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 83A65543 5 Bytes JMP 8F5BFD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 83A6EE68 4 Bytes CALL 8ED92E3B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 83A72ADC 4 Bytes CALL 8ED92E51 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 83AC6DCA 7 Bytes JMP 8F5C28E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? System32\Drivers\spql.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E00B340, 0x3D9767, 0xE8000020] .text USBPORT.SYS!DllUnload 89BD541B 5 Bytes JMP 86C9C4E0 ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\spoolsv.exe[476] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\spoolsv.exe[476] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\spoolsv.exe[476] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\spoolsv.exe[476] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000E00A8 .text C:\Windows\System32\spoolsv.exe[476] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000E00E4 .text C:\Windows\System32\spoolsv.exe[476] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000E0120 .text C:\Windows\System32\spoolsv.exe[476] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000E0030 .text C:\Windows\System32\spoolsv.exe[476] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000E006C .text C:\Windows\system32\svchost.exe[524] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[524] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[524] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001200A8 .text C:\Windows\system32\svchost.exe[524] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001200E4 .text C:\Windows\system32\svchost.exe[524] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00120120 .text C:\Windows\system32\svchost.exe[524] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00120030 .text C:\Windows\system32\svchost.exe[524] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0012006C .text C:\Windows\system32\wininit.exe[564] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00030030 .text C:\Windows\system32\wininit.exe[564] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0003006C .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0006006C .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000600A8 .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000601D4 .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000600E4 .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00060120 .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0006015C .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00060198 .text C:\Windows\system32\wininit.exe[564] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00060030 .text C:\Windows\system32\wininit.exe[564] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000700A8 .text C:\Windows\system32\wininit.exe[564] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000700E4 .text C:\Windows\system32\wininit.exe[564] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00070120 .text C:\Windows\system32\wininit.exe[564] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00070030 .text C:\Windows\system32\wininit.exe[564] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0007006C .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\services.exe[608] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\services.exe[608] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\services.exe[608] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\services.exe[608] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\services.exe[608] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\system32\lsass.exe[620] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\lsass.exe[620] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\lsass.exe[620] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\lsass.exe[620] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\lsass.exe[620] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\lsass.exe[620] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\lsass.exe[620] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\lsass.exe[620] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[792] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[792] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 00D000A8 .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 00D000E4 .text C:\Windows\system32\svchost.exe[792] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00D00120 .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00D00030 .text C:\Windows\system32\svchost.exe[792] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 00D0006C .text C:\Windows\system32\winlogon.exe[824] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00030030 .text C:\Windows\system32\winlogon.exe[824] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0003006C .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0005006C .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000500A8 .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000501D4 .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000500E4 .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00050120 .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0005015C .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00050198 .text C:\Windows\system32\winlogon.exe[824] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00050030 .text C:\Windows\system32\winlogon.exe[824] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000600A8 .text C:\Windows\system32\winlogon.exe[824] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000600E4 .text C:\Windows\system32\winlogon.exe[824] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00060120 .text C:\Windows\system32\winlogon.exe[824] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00060030 .text C:\Windows\system32\winlogon.exe[824] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0006006C .text C:\Windows\system32\nvvsvc.exe[880] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00140030 .text C:\Windows\system32\nvvsvc.exe[880] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0014006C .text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001600A8 .text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001600E4 .text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00160120 .text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00160030 .text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0016006C .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Windows\system32\svchost.exe[908] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[908] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001700A8 .text C:\Windows\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001700E4 .text C:\Windows\system32\svchost.exe[908] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00170120 .text C:\Windows\system32\svchost.exe[908] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00170030 .text C:\Windows\system32\svchost.exe[908] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0017006C .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000F00A8 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000F00E4 .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000F0120 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000F0030 .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000F006C .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000E00A8 .text C:\Windows\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000E00E4 .text C:\Windows\System32\svchost.exe[1008] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000E0120 .text C:\Windows\System32\svchost.exe[1008] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000E0030 .text C:\Windows\System32\svchost.exe[1008] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000E006C .text C:\Windows\System32\svchost.exe[1044] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[1044] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 00CC00A8 .text C:\Windows\System32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 00CC00E4 .text C:\Windows\System32\svchost.exe[1044] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00CC0120 .text C:\Windows\System32\svchost.exe[1044] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00CC0030 .text C:\Windows\System32\svchost.exe[1044] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 00CC006C .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000D00A8 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000D00E4 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000D0120 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000D0030 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000D006C .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0008006C .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000800A8 .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000801D4 .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000800E4 .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00080120 .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0008015C .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00080198 .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00080030 .text C:\Windows\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 00D200A8 .text C:\Windows\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 00D200E4 .text C:\Windows\system32\svchost.exe[1228] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00D20120 .text C:\Windows\system32\svchost.exe[1228] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00D20030 .text C:\Windows\system32\svchost.exe[1228] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 00D2006C .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001900A8 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001900E4 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00190120 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00190030 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0019006C .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 001A006C .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001A00A8 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001A01D4 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001A00E4 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 001A0120 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 001A015C .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 001A0198 .text C:\Program Files\Thomson\ST330\service\st330service.exe[1336] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 001A0030 .text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Windows\system32\rundll32.exe[1456] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00060030 .text C:\Windows\system32\rundll32.exe[1456] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0006006C .text C:\Windows\system32\rundll32.exe[1456] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001700A8 .text C:\Windows\system32\rundll32.exe[1456] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001700E4 .text C:\Windows\system32\rundll32.exe[1456] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00170120 .text C:\Windows\system32\rundll32.exe[1456] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00170030 .text C:\Windows\system32\rundll32.exe[1456] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0017006C .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0018006C .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001800A8 .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001801D4 .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001800E4 .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00180120 .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0018015C .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00180198 .text C:\Windows\system32\rundll32.exe[1456] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00180030 .text C:\Windows\system32\svchost.exe[1464] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[1464] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Windows\system32\svchost.exe[1464] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Windows\system32\svchost.exe[1464] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001B00A8 .text C:\Windows\system32\svchost.exe[1464] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001B00E4 .text C:\Windows\system32\svchost.exe[1464] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 001B0120 .text C:\Windows\system32\svchost.exe[1464] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 001B0030 .text C:\Windows\system32\svchost.exe[1464] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 001B006C .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1488] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0008006C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000800A8 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000801D4 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000800E4 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00080120 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0008015C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00080198 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00080030 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000900A8 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000900E4 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00090120 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00090030 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1500] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0009006C .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1764] kernel32.dll!SetUnhandledExceptionFilter 7693A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001800A8 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001800E4 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00180120 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00180030 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1820] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0018006C .text C:\Windows\system32\Dwm.exe[2152] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\Dwm.exe[2152] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\Dwm.exe[2152] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\Dwm.exe[2152] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\Dwm.exe[2152] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\Dwm.exe[2152] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\Dwm.exe[2152] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\Dwm.exe[2152] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\system32\taskeng.exe[2188] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\taskeng.exe[2188] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\taskeng.exe[2188] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\taskeng.exe[2188] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\taskeng.exe[2188] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\taskeng.exe[2188] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\taskeng.exe[2188] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\taskeng.exe[2188] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0008006C .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000800A8 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000801D4 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000800E4 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00080120 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0008015C .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00080198 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00080030 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000D00A8 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000D00E4 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000D0120 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000D0030 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2196] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000D006C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[2204] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\Explorer.EXE[2252] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\Explorer.EXE[2252] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\Explorer.EXE[2252] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\Explorer.EXE[2252] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\Explorer.EXE[2252] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\Explorer.EXE[2252] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\Explorer.EXE[2252] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\Explorer.EXE[2252] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\system32\taskeng.exe[2328] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\taskeng.exe[2328] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\taskeng.exe[2328] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\taskeng.exe[2328] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\taskeng.exe[2328] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\taskeng.exe[2328] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\taskeng.exe[2328] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\taskeng.exe[2328] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[2608] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\System32\mobsync.exe[2664] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\mobsync.exe[2664] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\mobsync.exe[2664] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\mobsync.exe[2664] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\System32\mobsync.exe[2664] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\System32\mobsync.exe[2664] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\System32\mobsync.exe[2664] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\System32\mobsync.exe[2664] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Windows\System32\svchost.exe[2704] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[2704] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[2704] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\svchost.exe[2704] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001D00A8 .text C:\Windows\System32\svchost.exe[2704] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001D00E4 .text C:\Windows\System32\svchost.exe[2704] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 001D0120 .text C:\Windows\System32\svchost.exe[2704] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 001D0030 .text C:\Windows\System32\svchost.exe[2704] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 001D006C .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00160030 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0016006C .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001800A8 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001800E4 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00180120 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00180030 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2732] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0018006C .text C:\Windows\system32\svchost.exe[2860] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00090030 .text C:\Windows\system32\svchost.exe[2860] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0009006C .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 000B006C .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000B00A8 .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000B01D4 .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000B00E4 .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 000B0120 .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 000B015C .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 000B0198 .text C:\Windows\system32\svchost.exe[2860] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 000B0030 .text C:\Windows\system32\svchost.exe[2860] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 00E600A8 .text C:\Windows\system32\svchost.exe[2860] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 00E600E4 .text C:\Windows\system32\svchost.exe[2860] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00E60120 .text C:\Windows\system32\svchost.exe[2860] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00E60030 .text C:\Windows\system32\svchost.exe[2860] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 00E6006C .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001700A8 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001700E4 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00170120 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00170030 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0017006C .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0018006C .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001800A8 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001801D4 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001800E4 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00180120 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0018015C .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00180198 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2896] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00180030 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00160030 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0016006C .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001700A8 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001700E4 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00170120 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00170030 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0017006C .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0018006C .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001800A8 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001801D4 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001800E4 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00180120 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0018015C .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00180198 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[2904] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00180030 .text C:\Windows\System32\svchost.exe[2944] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[2944] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[2944] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\svchost.exe[2944] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001200A8 .text C:\Windows\System32\svchost.exe[2944] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001200E4 .text C:\Windows\System32\svchost.exe[2944] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00120120 .text C:\Windows\System32\svchost.exe[2944] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00120030 .text C:\Windows\System32\svchost.exe[2944] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0012006C .text C:\Windows\System32\svchost.exe[2976] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[2976] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[2976] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[2992] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[2992] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\svchost.exe[2992] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000F00A8 .text C:\Windows\system32\svchost.exe[2992] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000F00E4 .text C:\Windows\system32\svchost.exe[2992] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000F0120 .text C:\Windows\system32\svchost.exe[2992] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000F0030 .text C:\Windows\system32\svchost.exe[2992] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000F006C .text C:\Windows\system32\svchost.exe[3032] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\svchost.exe[3032] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\svchost.exe[3032] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00140030 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0014006C .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0026006C .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 002600A8 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 002601D4 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 002600E4 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00260120 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0026015C .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00260198 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[3064] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00260030 .text C:\Windows\System32\svchost.exe[3100] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\System32\svchost.exe[3100] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\System32\svchost.exe[3100] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00140030 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0014006C .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0016006C .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001600A8 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001601D4 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001600E4 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00160120 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0016015C .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00160198 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00160030 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001800A8 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001800E4 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00180120 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00180030 .text C:\Windows\System32\Drivers\WTSRV.EXE[3116] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0018006C .text C:\Program Files\QuickTime\QTTask.exe[3160] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Program Files\QuickTime\QTTask.exe[3160] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Program Files\QuickTime\QTTask.exe[3160] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001700A8 .text C:\Program Files\QuickTime\QTTask.exe[3160] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001700E4 .text C:\Program Files\QuickTime\QTTask.exe[3160] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00170120 .text C:\Program Files\QuickTime\QTTask.exe[3160] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00170030 .text C:\Program Files\QuickTime\QTTask.exe[3160] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0017006C .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0018006C .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001800A8 .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001801D4 .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001800E4 .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00180120 .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0018015C .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00180198 .text C:\Program Files\QuickTime\QTTask.exe[3160] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00180030 .text C:\Windows\system32\SearchIndexer.exe[3184] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\SearchIndexer.exe[3184] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\SearchIndexer.exe[3184] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\SearchIndexer.exe[3184] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\SearchIndexer.exe[3184] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\SearchIndexer.exe[3184] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\SearchIndexer.exe[3184] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\SearchIndexer.exe[3184] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\hp\HP Software Update\hpwuschd2.exe[3216] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 002700A8 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 002700E4 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00270120 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00270030 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0027006C .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0028006C .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 002800A8 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 002801D4 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 002800E4 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00280120 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0028015C .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00280198 .text C:\hp\HP Software Update\hpwuschd2.exe[3216] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00280030 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0008006C .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000800A8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000801D4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000800E4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00080120 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0008015C .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00080198 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00080030 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000900A8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000900E4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00090120 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00090030 .text C:\Program Files\Windows Sidebar\sidebar.exe[3284] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0009006C .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00160030 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0016006C .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001800A8 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001800E4 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00180120 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00180030 .text C:\Users\Borysław\AppData\Local\Google\Update\GoogleUpdate.exe[3336] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0018006C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000C00A8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000C00E4 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000C0120 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000C0030 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000C006C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!SetWindowLongA 7655E7CD 5 Bytes JMP 6A1AA800 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!SetWindowLongW 765613B4 5 Bytes JMP 6A1AA792 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!GetWindowInfo 7656428E 5 Bytes JMP 69FB229C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3352] USER32.dll!TrackPopupMenu 765714F3 5 Bytes JMP 69FB2861 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001800A8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001800E4 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00180120 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00180030 .text C:\Program Files\Mozilla Firefox\firefox.exe[3380] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0018006C .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0017006C .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001700A8 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001701D4 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001700E4 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00170120 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0017015C .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00170198 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00170030 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001800A8 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001800E4 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00180120 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00180030 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3424] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0018006C .text C:\Windows\system32\WUDFHost.exe[3456] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Windows\system32\WUDFHost.exe[3456] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0007006C .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000700A8 .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000701D4 .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000700E4 .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00070120 .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0007015C .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00070198 .text C:\Windows\system32\WUDFHost.exe[3456] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00070030 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000800A8 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000800E4 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00080120 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00080030 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0008006C .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00050030 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0005006C .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 0008006C .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000800A8 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000801D4 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000800E4 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 00080120 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 0008015C .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 00080198 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 00080030 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000900A8 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000900E4 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 00090120 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 00090030 .text C:\Program Files\Windows Sidebar\sidebar.exe[4072] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 0009006C .text C:\Users\Borysław\Desktop\OTL.exe[4416] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Users\Borysław\Desktop\OTL.exe[4416] kernel32.dll!SetProcessShutdownParameters 7691E8C1 5 Bytes JMP 00170030 .text C:\Users\Borysław\Desktop\OTL.exe[4416] kernel32.dll!DefineDosDeviceW 7692856C 5 Bytes JMP 0017006C .text C:\Users\Borysław\Desktop\OTL.exe[4416] kernel32.dll!SetLocaleInfoW 769BDE7D 5 Bytes JMP 001700A8 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001D00A8 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateDialogIndirectParamAorW 76557266 5 Bytes JMP 001D0594 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateDialogParamW 765572A2 5 Bytes JMP 001D04E0 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001D00E4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 001D0120 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 001D0030 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 001D006C .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateWindowExA 7655DC2A 5 Bytes JMP 001D033C .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetWindowLongA 7655E7CD 5 Bytes JMP 001D042C .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateWindowExW 76561305 5 Bytes JMP 001D0378 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetWindowLongW 765613B4 5 Bytes JMP 001D0468 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetPropW 76563DFC 5 Bytes JMP 001D0288 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!RemovePropW 76568726 5 Bytes JMP 001D0300 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!GetWindowLongA 76569994 5 Bytes JMP 001D03B4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!GetWindowLongW 7656F8BF 5 Bytes JMP 001D03F0 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!GetPropW 76571051 5 Bytes JMP 001D0210 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateDialogParamA 765717AA 5 Bytes JMP 001D04A4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!LockWorkStation 765720B5 5 Bytes JMP 001D0198 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateDialogIndirectParamA 765726F1 5 Bytes JMP 001D051C .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!CreateDialogIndirectParamW 76579A62 5 Bytes JMP 001D0558 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!SetPropA 7657B191 5 Bytes JMP 001D024C .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!RemovePropA 7657B1E9 5 Bytes JMP 001D02C4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!GetPropA 7657B6F3 5 Bytes JMP 001D01D4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!DialogBoxParamW 765810B0 5 Bytes JMP 001D060C .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!DialogBoxIndirectParamAorW 76582EB6 5 Bytes JMP 001D06C0 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!DialogBoxIndirectParamW 76582EF5 5 Bytes JMP 001D0684 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!DialogBoxParamA 76598152 5 Bytes JMP 001D05D0 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!DialogBoxIndirectParamA 7659847D 5 Bytes JMP 001D0648 .text C:\Users\Borysław\Desktop\OTL.exe[4416] user32.dll!ExitWindowsEx 7659B7C3 5 Bytes JMP 001D015C .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!ReportEventA 76789FD3 5 Bytes JMP 01F702C4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!RegConnectRegistryW 76794CC8 5 Bytes JMP 01F70378 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!RegConnectRegistryExW 76794CE6 5 Bytes JMP 01F703B4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!ReportEventW 76796047 5 Bytes JMP 01F70300 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!RegisterEventSourceW 76798A01 5 Bytes JMP 01F7024C .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!RegisterEventSourceA 7679D306 5 Bytes JMP 01F70210 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!DeregisterEventSource 767A1BCD 5 Bytes JMP 01F70288 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!LookupAccountNameW 767A5CF5 5 Bytes JMP 01F7033C .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 01F7006C .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 01F700A8 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 01F701D4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 01F700E4 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 01F70120 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 01F7015C .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 01F70198 .text C:\Users\Borysław\Desktop\OTL.exe[4416] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 01F70030 .text C:\Users\Borysław\Desktop\OTL.exe[4416] USERENV.dll!RegisterGPNotification 756C4485 5 Bytes JMP 01F90030 .text C:\Users\Borysław\Desktop\OTL.exe[4416] USERENV.dll!UnregisterGPNotification 756C6253 5 Bytes JMP 01F9006C .text C:\Users\Borysław\Desktop\OTL.exe[4416] Secur32.dll!LsaRegisterLogonProcess 756A7315 5 Bytes JMP 01FB0030 .text C:\Windows\system32\wuauclt.exe[4552] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 000A0030 .text C:\Windows\system32\wuauclt.exe[4552] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 000A006C .text C:\Windows\system32\wuauclt.exe[4552] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 000B00A8 .text C:\Windows\system32\wuauclt.exe[4552] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 000B00E4 .text C:\Windows\system32\wuauclt.exe[4552] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 000B0120 .text C:\Windows\system32\wuauclt.exe[4552] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 000B0030 .text C:\Windows\system32\wuauclt.exe[4552] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 000B006C .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 000C006C .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 000C00A8 .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 000C01D4 .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 000C00E4 .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 000C0120 .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 000C015C .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 000C0198 .text C:\Windows\system32\wuauclt.exe[4552] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 000C0030 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ntdll.dll!LdrLoadDll 76FD93A8 5 Bytes JMP 00150030 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ntdll.dll!LdrUnloadDll 76FEB740 5 Bytes JMP 0015006C .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!CreateServiceW 767C9EB4 5 Bytes JMP 001E006C .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!DeleteService 767CA07E 5 Bytes JMP 001E00A8 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!SetServiceObjectSecurity 76806CD9 5 Bytes JMP 001E01D4 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!ChangeServiceConfigA 76806DD9 5 Bytes JMP 001E00E4 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!ChangeServiceConfigW 76806F81 5 Bytes JMP 001E0120 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!ChangeServiceConfig2A 76807099 5 Bytes JMP 001E015C .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!ChangeServiceConfig2W 768071E1 5 Bytes JMP 001E0198 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] ADVAPI32.dll!CreateServiceA 768072A1 5 Bytes JMP 001E0030 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] USER32.dll!SetWindowsHookExA 76556322 5 Bytes JMP 001F00A8 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] USER32.dll!SetWindowsHookExW 765587AD 5 Bytes JMP 001F00E4 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] USER32.dll!UnhookWindowsHookEx 765598DB 5 Bytes JMP 001F0120 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] USER32.dll!SetWinEventHook 76559F3A 5 Bytes JMP 001F0030 .text C:\Users\Borysław\Desktop\ymisiqls.exe[5560] USER32.dll!UnhookWinEvent 7655C06F 5 Bytes JMP 001F006C ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [83E976D2] \SystemRoot\System32\Drivers\spql.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83E97040] \SystemRoot\System32\Drivers\spql.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83E977FC] \SystemRoot\System32\Drivers\spql.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [83E970BE] \SystemRoot\System32\Drivers\spql.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [83E9713C] \SystemRoot\System32\Drivers\spql.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [735D7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7362A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [735DBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [735CF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [735D75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [735CE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73608395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [735DDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [735CFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [735CFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [735C71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7365CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [735FC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [735CD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [735C6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [735C687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [735D2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 869221F8 Device \Driver\volmgr \Device\VolMgrControl 8691F1F8 Device \Driver\usbuhci \Device\USBPDO-0 879851F8 Device \Driver\usbuhci \Device\USBPDO-1 879851F8 Device \Driver\usbuhci \Device\USBPDO-2 879851F8 Device \Driver\usbuhci \Device\USBPDO-3 879851F8 Device \Driver\usbehci \Device\USBPDO-4 879861F8 AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\volmgr \Device\HarddiskVolume1 8691F1F8 Device \Driver\volmgr \Device\HarddiskVolume2 8691F1F8 Device \Driver\cdrom \Device\CdRom0 879AB1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 869211F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 869211F8 Device \Driver\atapi \Device\Ide\IdePort0 869211F8 Device \Driver\atapi \Device\Ide\IdePort1 869211F8 Device \Driver\atapi \Device\Ide\IdePort2 869211F8 Device \Driver\atapi \Device\Ide\IdePort3 869211F8 Device \Driver\volmgr \Device\HarddiskVolume3 8691F1F8 Device \Driver\volmgr \Device\HarddiskVolume4 8691F1F8 Device \Driver\volmgr \Device\HarddiskVolume5 8691F1F8 Device \Driver\netbt \Device\NetBt_Wins_Export 885A01F8 Device \Driver\Smb \Device\NetbiosSmb 8857D500 Device \Driver\netbt \Device\NetBT_Tcpip_{00F19A5B-5A3E-42DF-ACC3-0BB634E713D4} 885A01F8 Device \Driver\USBSTOR \Device\00000154 8856D1F8 Device \Driver\USBSTOR \Device\00000155 8856D1F8 Device \Driver\iScsiPrt \Device\RaidPort0 879E01F8 AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\USBSTOR \Device\00000156 8856D1F8 Device \Driver\USBSTOR \Device\00000157 8856D1F8 Device \Driver\USBSTOR \Device\00000158 8856D1F8 Device \Driver\usbuhci \Device\USBFDO-0 879851F8 Device \Driver\usbuhci \Device\USBFDO-1 879851F8 Device \Driver\usbuhci \Device\USBFDO-2 879851F8 Device \Driver\usbuhci \Device\USBFDO-3 879851F8 Device \Driver\usbehci \Device\USBFDO-4 879861F8 Device \FileSystem\cdfs \Cdfs 861A51F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x73 0x8E 0xBD 0xCA ... Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x80 0x6D 0xB0 ... Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0x8C 0x87 0x72 ... Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!! ---- Files - GMER 1.0.15 ---- File C:\## aswSnx private storage 0 bytes File C:\## aswSnx private storage\r431 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b} 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\attrib 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db 24 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db 2097152 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db 1048576 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db 4194304 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db 16184 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db 24 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Contacts 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Contacts\Documents 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Contacts\Documents\Extras.Txt 98994 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Contacts\Documents\OTL.Txt 93026 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Desktop 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Desktop\Extras.Txt 98994 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Users\Borysław\Desktop\OTL.Txt 93026 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Windows 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Windows\Prefetch 0 bytes File C:\## aswSnx private storage\r431\OTL.exe_{40913bd6-dca6-11e0-8d97-c039ef22649b}\image\Windows\Prefetch\NOTEPAD.EXE-3D2AFDB4.pf 23444 bytes File C:\## aswSnx private storage\snx_rhive 262144 bytes File C:\## aswSnx private storage\snx_rhive.LOG1 66560 bytes File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes File C:\## aswSnx private storage\snx_rhive{40913bd8-dca6-11e0-8d97-c039ef22649b}.TM.blf 65536 bytes File C:\## aswSnx private storage\snx_rhive{40913bd8-dca6-11e0-8d97-c039ef22649b}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\## aswSnx private storage\snx_rhive{40913bd8-dca6-11e0-8d97-c039ef22649b}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 1.0.15 ----