GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-06 23:09:44 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\00000064 SAMSUNG_SP0812N rev.TK100-30 Running: yhq3ez1w.exe; Driver: C:\DOCUME~1\Warwick\USTAWI~1\Temp\uxtdypoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA9F0EFC4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA9F73510] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA9F326A9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA9F11456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA9F114AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA9F115C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA9F3205D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA9F113AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA9F114FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA9F11400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA9F11572] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA9F0EFE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA9F32D6F] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA9F33025] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA9F11848] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9F32BDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9F32A45] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA9F735C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA9F0EDB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA9F0F00C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA9F119BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA9F0FAA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA9F11486] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA9F114D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA9F115EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA9F323B9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA9F113D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA9F11680] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA9F1153E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA9F1142E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA9F11764] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA9F1159C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA9F73658] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA9F328C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA9F0F96A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA9F32712] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA9F7B9E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA9F316D0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA9F0F030] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA9F0F054] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA9F0EE0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA9F0EF48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA9F32E76] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA9F0EF24] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA9F0EF6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA9F0F078] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9F877A2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2428 80501318 4 Bytes CALL 9AFA040C PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059A640 4 Bytes CALL A9F1000F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B0A76 5 Bytes JMP A9F8469C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805B7764 5 Bytes JMP A9F8615C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C5F68 7 Bytes JMP A9F877A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB8F7A900] .text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xB8B6B000, 0x1C5D38, 0xE8000020] .text win32k.sys!EngPaint + 4EF BF8255ED 5 Bytes JMP A9F11B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + EE3F BF841181 5 Bytes JMP A9F11C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!FONTOBJ_pxoGetXform + DE42 BF85AD4E 5 Bytes JMP A9F11AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 3474 BF87111B 5 Bytes JMP A9F11DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 34FF BF8711A6 5 Bytes JMP A9F11FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 411E BF894CB8 5 Bytes JMP A9F11F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 34B7 BF8BA260 5 Bytes JMP A9F11ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 3E8 BF8C333C 5 Bytes JMP A9F11CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1517 BF8EB97D 5 Bytes JMP A9F11D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1797 BF8EBBFD 5 Bytes JMP A9F11D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8F9A43 5 Bytes JMP A9F119F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 19C1 BF913245 5 Bytes JMP A9F11B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2595 BF913E19 5 Bytes JMP A9F11C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4EF4 BF916778 5 Bytes JMP A9F120D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA0F78300, 0x3ACC8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xAD6CB300, 0x1B7E, 0xE8000020] pnidata C:\WINDOWS\System32\DRIVERS\secdrv.sys unknown last section [0xA0F2BF00, 0x24000, 0x48000000] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[172] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[172] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\spoolsv.exe[324] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\spoolsv.exe[324] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[324] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\spoolsv.exe[324] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\spoolsv.exe[324] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\spoolsv.exe[324] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\spoolsv.exe[324] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\spoolsv.exe[324] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\spoolsv.exe[324] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\spoolsv.exe[324] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\svchost.exe[344] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[344] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[344] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[344] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[344] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[344] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[344] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[344] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[344] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[344] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\smss.exe[604] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[668] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[668] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000701F8 .text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000703FC .text C:\WINDOWS\system32\winlogon.exe[704] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\winlogon.exe[704] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\winlogon.exe[704] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\services.exe[748] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\services.exe[748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\services.exe[748] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\services.exe[748] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\services.exe[748] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\services.exe[748] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\services.exe[748] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\services.exe[748] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\services.exe[748] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\services.exe[748] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\lsass.exe[760] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\lsass.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[760] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\lsass.exe[760] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\lsass.exe[760] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\lsass.exe[760] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\Program Files\Java\jre6\bin\jqs.exe[828] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003D1014 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003D0804 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003D0A08 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003D0C0C .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003D0E10 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003D01F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003D03FC .text C:\Program Files\Java\jre6\bin\jqs.exe[828] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003D0600 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003E01F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003E03FC .text C:\Program Files\Java\jre6\bin\jqs.exe[828] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 003E0804 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 003E0A08 .text C:\Program Files\Java\jre6\bin\jqs.exe[828] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 003E0600 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\Ati2evxx.exe[916] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\WINDOWS\System32\Ati2evxx.exe[916] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\Ati2evxx.exe[916] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003D01F8 .text C:\WINDOWS\System32\Ati2evxx.exe[916] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003D03FC .text C:\WINDOWS\System32\Ati2evxx.exe[916] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 003D0804 .text C:\WINDOWS\System32\Ati2evxx.exe[916] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 003D0A08 .text C:\WINDOWS\System32\Ati2evxx.exe[916] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 003D0600 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003E1014 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003E0804 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003E0A08 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003E0C0C .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003E0E10 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003E01F8 .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003E03FC .text C:\WINDOWS\System32\Ati2evxx.exe[916] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003E0600 .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000801F8 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\wdfmgr.exe[1068] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000803FC .text C:\WINDOWS\System32\wdfmgr.exe[1068] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\wdfmgr.exe[1068] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\wdfmgr.exe[1068] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\wdfmgr.exe[1068] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\wdfmgr.exe[1068] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00310804 .text C:\WINDOWS\System32\wdfmgr.exe[1068] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00310A08 .text C:\WINDOWS\System32\wdfmgr.exe[1068] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00310600 .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[1248] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[1248] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[1248] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[1248] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[1248] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\WINDOWS\system32\Ati2evxx.exe[1268] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1268] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003D01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003D03FC .text C:\WINDOWS\system32\Ati2evxx.exe[1268] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 003D0804 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 003D0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 003D0600 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003E1014 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003E0804 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003E0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003E0C0C .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003E0E10 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003E01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003E03FC .text C:\WINDOWS\system32\Ati2evxx.exe[1268] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003E0600 .text C:\WINDOWS\Explorer.EXE[1536] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\Explorer.EXE[1536] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1536] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00371014 .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00370804 .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00370A08 .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00370C0C .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00370E10 .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003701F8 .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003703FC .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00370600 .text C:\WINDOWS\Explorer.EXE[1536] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003801F8 .text C:\WINDOWS\Explorer.EXE[1536] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003803FC .text C:\WINDOWS\Explorer.EXE[1536] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00380804 .text C:\WINDOWS\Explorer.EXE[1536] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00380A08 .text C:\WINDOWS\Explorer.EXE[1536] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00380600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1608] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1608] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1608] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2036] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2036] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2044] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000A01F8 .text C:\WINDOWS\system32\ctfmon.exe[2044] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2044] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\ctfmon.exe[2044] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00371014 .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00370804 .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00370A08 .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00370C0C .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00370E10 .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003701F8 .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003703FC .text C:\WINDOWS\system32\ctfmon.exe[2044] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00370600 .text C:\WINDOWS\system32\ctfmon.exe[2044] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003801F8 .text C:\WINDOWS\system32\ctfmon.exe[2044] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003803FC .text C:\WINDOWS\system32\ctfmon.exe[2044] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00380804 .text C:\WINDOWS\system32\ctfmon.exe[2044] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00380A08 .text C:\WINDOWS\system32\ctfmon.exe[2044] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00380600 .text C:\WINDOWS\System32\alg.exe[2436] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\alg.exe[2436] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2436] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\alg.exe[2436] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2436] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\alg.exe[2436] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\alg.exe[2436] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\alg.exe[2436] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\alg.exe[2436] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\alg.exe[2436] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 009B1014 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 009B0804 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 009B0A08 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 009B0C0C .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 009B0E10 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 009B01F8 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 009B03FC .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 009B0600 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 00AC01F8 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 00AC03FC .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00AC0804 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00AC0A08 .text C:\Documents and Settings\Warwick\Pulpit\Nowy folder\yhq3ez1w.exe[2608] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00AC0600 .text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000A01F8 .text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\wuauclt.exe[3484] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3484] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003701F8 .text C:\WINDOWS\system32\wuauclt.exe[3484] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003703FC .text C:\WINDOWS\system32\wuauclt.exe[3484] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00370804 .text C:\WINDOWS\system32\wuauclt.exe[3484] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00370A08 .text C:\WINDOWS\system32\wuauclt.exe[3484] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00370600 .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00381014 .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00380804 .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00380A08 .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00380C0C .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00380E10 .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003801F8 .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003803FC .text C:\WINDOWS\system32\wuauclt.exe[3484] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00380600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00620002 IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00620000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@DisplayName aasusummy Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw@Description Dostarcza interfejs i model obiektowy w celu uzyskiwania dost?pu do informacji zarz?dzania o systemie operacyjnym, urz?dzeniach, aplikacjach i us?ugach. Je?li ta us?uga zostanie zatrzymana, wi?kszo?? oprogramowania opartego na systemie Windows nie b?dzie dzia?a? w?a?ciwie. Je?li ta us?uga zostanie wy??czona, uruchomienie us?ug od niej zale?nych nie powiedzie si?. Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\zumqqvw\Parameters@ServiceDll C:\WINDOWS\System32\tjcgsqf.dll ---- Files - GMER 1.0.15 ---- File C:\## aswSnx private storage 0 bytes File C:\## aswSnx private storage\r169 0 bytes File C:\## aswSnx private storage\snx_rhive 262144 bytes File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes ---- EOF - GMER 1.0.15 ----