GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-22 09:31:40 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ExcelStor_Technology_J9250S rev.GM2OA52A Running: etpdhth9.exe; Driver: C:\Users\KSIGOW~1\AppData\Local\Temp\fxlyqpoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8DA76FC4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8DA79456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8DA794AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8DA795C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8DA793AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8DA794FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8DA79400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8DA79572] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8DA76FE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8DA76DB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8DA7700C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8DA799BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8DA77AA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8DA79486] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8DA794D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8DA795EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8DA793D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8DA7953E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8DA7942E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8DA7959C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8DA7796A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8DA77030] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8DA77054] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8DA76E0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8DA76F48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8DA76F24] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8DA76F6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8DA77078] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D6DE7A2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82CE0890 4 Bytes [C4, 6F, A7, 8D] .text ntkrnlpa.exe!KeSetEvent + 1D1 82CE0954 8 Bytes [56, 94, A7, 8D, AE, 94, A7, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 82CE0960 4 Bytes [C4, 95, A7, 8D] .text ntkrnlpa.exe!KeSetEvent + 1F5 82CE0978 4 Bytes [AC, 93, A7, 8D] .text ntkrnlpa.exe!KeSetEvent + 215 82CE0998 8 Bytes [FE, 94, A7, 8D, 00, 94, A7, ...] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E0B62F 5 Bytes JMP 8D6DB69C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82E64543 5 Bytes JMP 8D6DD15C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82E6DE68 4 Bytes CALL 8DA78025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82E71ADC 4 Bytes CALL 8DA7803B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EC5DCA 7 Bytes JMP 8D6DE7A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CA0A340, 0x40AA77, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\csrss.exe[556] KERNEL32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\wininit.exe[608] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[608] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[608] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001503FC .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00150600 .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00151014 .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00150804 .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00150A08 .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00150C0C .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00150E10 .text C:\Windows\system32\wininit.exe[608] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001501F8 .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00160600 .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00160804 .text C:\Windows\system32\wininit.exe[608] USER32.dll!UnhookWindowsHookEx 771598DB 3 Bytes JMP 00160A08 .text C:\Windows\system32\wininit.exe[608] USER32.dll!UnhookWindowsHookEx + 4 771598DF 1 Byte [89] .text C:\Windows\system32\wininit.exe[608] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001601F8 .text C:\Windows\system32\wininit.exe[608] USER32.dll!UnhookWinEvent 7715C06F 3 Bytes JMP 001603FC .text C:\Windows\system32\wininit.exe[608] USER32.dll!UnhookWinEvent + 4 7715C073 1 Byte [89] .text C:\Windows\system32\csrss.exe[620] KERNEL32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\services.exe[652] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\services.exe[652] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\services.exe[652] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\services.exe[652] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\services.exe[652] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\services.exe[652] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\services.exe[652] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\services.exe[652] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\services.exe[652] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\lsass.exe[664] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\lsass.exe[664] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\lsass.exe[664] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\lsass.exe[664] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\lsass.exe[664] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\lsm.exe[672] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\lsm.exe[672] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\lsm.exe[672] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000C03FC .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 000C1014 .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 000C0804 .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 000C0A08 .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 000C0C0C .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 000C0E10 .text C:\Windows\system32\lsm.exe[672] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[756] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[756] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[756] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000503FC .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00050600 .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00051014 .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00050804 .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00050A08 .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00050C0C .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00050E10 .text C:\Windows\system32\winlogon.exe[756] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000501F8 .text C:\Windows\system32\winlogon.exe[756] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00060600 .text C:\Windows\system32\winlogon.exe[756] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00060804 .text C:\Windows\system32\winlogon.exe[756] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00060A08 .text C:\Windows\system32\winlogon.exe[756] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000601F8 .text C:\Windows\system32\winlogon.exe[756] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00170600 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00170804 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00170A08 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00181014 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00180C0C .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00180E10 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[876] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\svchost.exe[880] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[880] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[880] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00370600 .text C:\Windows\system32\svchost.exe[880] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00370804 .text C:\Windows\system32\svchost.exe[880] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00370A08 .text C:\Windows\system32\svchost.exe[880] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 003701F8 .text C:\Windows\system32\svchost.exe[880] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 003703FC .text C:\Windows\system32\nvvsvc.exe[944] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001501F8 .text C:\Windows\system32\nvvsvc.exe[944] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001503FC .text C:\Windows\system32\nvvsvc.exe[944] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\nvvsvc.exe[944] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00170600 .text C:\Windows\system32\nvvsvc.exe[944] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00170804 .text C:\Windows\system32\nvvsvc.exe[944] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\nvvsvc.exe[944] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\nvvsvc.exe[944] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00180C0C .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\nvvsvc.exe[944] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\svchost.exe[972] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000901F8 .text C:\Windows\system32\svchost.exe[972] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000903FC .text C:\Windows\system32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[972] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[972] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00300600 .text C:\Windows\system32\svchost.exe[972] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00300804 .text C:\Windows\system32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00300A08 .text C:\Windows\system32\svchost.exe[972] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 003001F8 .text C:\Windows\system32\svchost.exe[972] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 003003FC .text C:\Windows\System32\svchost.exe[1032] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000B03FC .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 000B0600 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 000B1014 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 000B0804 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 000B0A08 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 000B0C0C .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 000B0E10 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000B01F8 .text C:\Windows\System32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00400600 .text C:\Windows\System32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00400804 .text C:\Windows\System32\svchost.exe[1032] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00400A08 .text C:\Windows\System32\svchost.exe[1032] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 004001F8 .text C:\Windows\System32\svchost.exe[1032] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 004003FC .text C:\Windows\System32\svchost.exe[1136] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1136] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00E10600 .text C:\Windows\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00E10804 .text C:\Windows\System32\svchost.exe[1136] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00E10A08 .text C:\Windows\System32\svchost.exe[1136] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 00E101F8 .text C:\Windows\System32\svchost.exe[1136] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 00E103FC .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00150600 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00150804 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00150A08 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001501F8 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001503FC .text C:\Windows\system32\AUDIODG.EXE[1224] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1248] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1248] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00430600 .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00430804 .text C:\Windows\system32\svchost.exe[1316] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00430A08 .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 004301F8 .text C:\Windows\system32\svchost.exe[1316] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 004303FC .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001601F8 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001603FC .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001703FC .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00170600 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00171014 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00170804 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00170A08 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00170C0C .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00170E10 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001701F8 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00180600 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00180804 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00180A08 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1472] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001803FC .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00190600 .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00190804 .text C:\Windows\system32\svchost.exe[1476] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00190A08 .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001901F8 .text C:\Windows\system32\svchost.exe[1476] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001903FC .text C:\Windows\system32\rundll32.exe[1488] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\rundll32.exe[1488] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000603FC .text C:\Windows\system32\rundll32.exe[1488] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\rundll32.exe[1488] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00170600 .text C:\Windows\system32\rundll32.exe[1488] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00170804 .text C:\Windows\system32\rundll32.exe[1488] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\rundll32.exe[1488] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\rundll32.exe[1488] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001903FC .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00190600 .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00191014 .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00190804 .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00190A08 .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00190C0C .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00190E10 .text C:\Windows\system32\rundll32.exe[1488] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001901F8 .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1632] kernel32.dll!SetUnhandledExceptionFilter 7760A84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1632] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\System32\spoolsv.exe[1980] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 001E0600 .text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 001E0804 .text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 001E0A08 .text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001E01F8 .text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001E03FC .text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2004] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[2004] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00140600 .text C:\Windows\system32\svchost.exe[2004] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00140804 .text C:\Windows\system32\svchost.exe[2004] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00140A08 .text C:\Windows\system32\svchost.exe[2004] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001401F8 .text C:\Windows\system32\svchost.exe[2004] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001403FC .text C:\Windows\system32\svchost.exe[2064] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2064] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2064] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[2064] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[2064] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[2064] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[2064] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[2064] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[2064] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[2092] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2092] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2092] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[2120] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[2120] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[2120] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[2120] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000401F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000403FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00060600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00061014 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00060804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00060A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00060C0C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 3 Bytes JMP 00060E10 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!ChangeServiceConfig2W + 4 778571E5 1 Byte [88] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00070600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00070804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00070A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2152] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[2248] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\SearchIndexer.exe[2248] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\SearchIndexer.exe[2248] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[2248] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[2248] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[2248] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[2248] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[2248] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[2248] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\WUDFHost.exe[2500] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\WUDFHost.exe[2500] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\WUDFHost.exe[2500] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\WUDFHost.exe[2500] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\WUDFHost.exe[2500] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\WUDFHost.exe[2500] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\WUDFHost.exe[2500] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\WUDFHost.exe[2500] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\WUDFHost.exe[2500] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000401F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000403FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00060600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00061014 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00060804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00060A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00060C0C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 3 Bytes JMP 00060E10 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!ChangeServiceConfig2W + 4 778571E5 1 Byte [88] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00070600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00070804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00070A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2612] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000703FC .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[2844] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskeng.exe[2844] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\taskeng.exe[2844] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[2844] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[2844] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[2844] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[2844] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[2844] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[2844] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[2920] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskeng.exe[2920] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\taskeng.exe[2920] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[2920] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[2920] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[2920] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[2920] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[2920] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[2920] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\Explorer.EXE[2948] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\Explorer.EXE[2948] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\Explorer.EXE[2948] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\Explorer.EXE[2948] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Windows\Explorer.EXE[2948] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00080600 .text C:\Windows\Explorer.EXE[2948] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00080804 .text C:\Windows\Explorer.EXE[2948] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00080A08 .text C:\Windows\Explorer.EXE[2948] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000801F8 .text C:\Windows\Explorer.EXE[2948] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000803FC .text C:\Windows\RtHDVCpl.exe[3084] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001501F8 .text C:\Windows\RtHDVCpl.exe[3084] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001503FC .text C:\Windows\RtHDVCpl.exe[3084] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001703FC .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00170600 .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00171014 .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00170804 .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00170A08 .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00170C0C .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00170E10 .text C:\Windows\RtHDVCpl.exe[3084] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001701F8 .text C:\Windows\RtHDVCpl.exe[3084] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00180600 .text C:\Windows\RtHDVCpl.exe[3084] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00180804 .text C:\Windows\RtHDVCpl.exe[3084] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00180A08 .text C:\Windows\RtHDVCpl.exe[3084] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001801F8 .text C:\Windows\RtHDVCpl.exe[3084] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00170600 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00170804 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00170A08 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00181014 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00180C0C .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00180E10 .text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[3100] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001801F8 .text C:\Windows\System32\rundll32.exe[3136] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000601F8 .text C:\Windows\System32\rundll32.exe[3136] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000603FC .text C:\Windows\System32\rundll32.exe[3136] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3136] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00070600 .text C:\Windows\System32\rundll32.exe[3136] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00070804 .text C:\Windows\System32\rundll32.exe[3136] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00070A08 .text C:\Windows\System32\rundll32.exe[3136] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[3136] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000C03FC .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 000C0600 .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 000C1014 .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 000C0804 .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 000C0A08 .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 000C0C0C .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 000C0E10 .text C:\Windows\System32\rundll32.exe[3136] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000C01F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00170600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00171014 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00170804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00170A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00170C0C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00170E10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3160] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001803FC .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3216] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001401F8 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001403FC .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] kernel32.dll!SetUnhandledExceptionFilter 7760A84F 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00260600 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00260804 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00260A08 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 002601F8 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 002603FC .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 002703FC .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00270600 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00271014 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00270804 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00270A08 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00270C0C .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00270E10 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3224] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 002701F8 .text C:\Program Files\LP\0040\000.exe[3356] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001601F8 .text C:\Program Files\LP\0040\000.exe[3356] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001603FC .text C:\Program Files\LP\0040\000.exe[3356] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\LP\0040\000.exe[3356] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00170600 .text C:\Program Files\LP\0040\000.exe[3356] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00170804 .text C:\Program Files\LP\0040\000.exe[3356] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00170A08 .text C:\Program Files\LP\0040\000.exe[3356] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001701F8 .text C:\Program Files\LP\0040\000.exe[3356] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001703FC .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001803FC .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00180600 .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00181014 .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00180804 .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00180A08 .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00180C0C .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00180E10 .text C:\Program Files\LP\0040\000.exe[3356] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001801F8 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001501F8 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001503FC .text C:\Program Files\Tlen.pl\tlen.exe[3376] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Tlen.pl\tlen.exe[3376] user32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 002A0600 .text C:\Program Files\Tlen.pl\tlen.exe[3376] user32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 002A0804 .text C:\Program Files\Tlen.pl\tlen.exe[3376] user32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 002A0A08 .text C:\Program Files\Tlen.pl\tlen.exe[3376] user32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 002A01F8 .text C:\Program Files\Tlen.pl\tlen.exe[3376] user32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 002A03FC .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 002B03FC .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 002B0600 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 002B1014 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 002B0804 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 002B0A08 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 002B0C0C .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 002B0E10 .text C:\Program Files\Tlen.pl\tlen.exe[3376] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 002B01F8 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001601F8 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001603FC .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 001703FC .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00170600 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00171014 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00170804 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00170A08 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00170C0C .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00170E10 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 001701F8 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00180600 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00180804 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00180A08 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 001801F8 .text C:\Users\KSIĘGOWA\AppData\Local\Google\Update\GoogleUpdate.exe[3408] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 001803FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00060600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00061014 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00060804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00060A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00060C0C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 3 Bytes JMP 00060E10 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!ChangeServiceConfig2W + 4 778571E5 1 Byte [88] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3656] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3744] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[3744] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[3744] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[3744] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 000701F8 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ntdll.dll!LdrLoadDll 77CA9378 5 Bytes JMP 001501F8 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ntdll.dll!LdrUnloadDll 77CBB680 5 Bytes JMP 001503FC .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] kernel32.dll!GetBinaryTypeW + 70 77632247 1 Byte [62] .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!CreateServiceW 77819EB4 5 Bytes JMP 002C03FC .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!DeleteService 7781A07E 5 Bytes JMP 002C0600 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!SetServiceObjectSecurity 77856CD9 5 Bytes JMP 002C1014 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!ChangeServiceConfigA 77856DD9 5 Bytes JMP 002C0804 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!ChangeServiceConfigW 77856F81 5 Bytes JMP 002C0A08 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!ChangeServiceConfig2A 77857099 5 Bytes JMP 002C0C0C .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!ChangeServiceConfig2W 778571E1 5 Bytes JMP 002C0E10 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] ADVAPI32.dll!CreateServiceA 778572A1 5 Bytes JMP 002C01F8 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] USER32.dll!SetWindowsHookExA 77156322 5 Bytes JMP 002D0600 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] USER32.dll!SetWindowsHookExW 771587AD 5 Bytes JMP 002D0804 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] USER32.dll!UnhookWindowsHookEx 771598DB 5 Bytes JMP 002D0A08 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] USER32.dll!SetWinEventHook 77159F3A 5 Bytes JMP 002D01F8 .text C:\Users\KSIĘGOWA\Desktop\VIRUS\KSIĘGOWA\etpdhth9.exe[6120] USER32.dll!UnhookWinEvent 7715C06F 5 Bytes JMP 002D03FC ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[652] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000B0002 IAT C:\Windows\system32\services.exe[652] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000B0000 IAT C:\Windows\Explorer.EXE[2948] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6B67F3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Files - GMER 1.0.15 ---- File C:\Users\KSIĘGOWA\Music\BearShare\Felicjan Andrzejczak, Małgorzata Bendarz, Monika Brodka, Krzysztof Cugowski, Piotr i Wojtek Cugowscy, Ewelina Flinta, Artur Gadowski, Patrycja Gola, Anna Maria Jopek, Halina Jawar, Kayah, Paweł Kukiz, Grzegorz Markowski, Maryla Rodowicz, Irene Santor, Grz\Polskie Przeboje 0 bytes File C:\Users\KSIĘGOWA\Music\BearShare\Felicjan Andrzejczak, Małgorzata Bendarz, Monika Brodka, Krzysztof Cugowski, Piotr i Wojtek Cugowscy, Ewelina Flinta, Artur Gadowski, Patrycja Gola, Anna Maria Jopek, Halina Jawar, Kayah, Paweł Kukiz, Grzegorz Markowski, Maryla Rodowicz, Irene Santor, Grz\Polskie Przeboje\01 Pokonamy fale.wma 5083132 bytes File C:\Users\KSIĘGOWA\Music\BearShare\Felicjan Andrzejczak,Małgorzata Bendarz,Monika Brodka,Krzysztof Cugowski,Piotr i Wojtek Cugowscy,Ewelina Flinta,Artur Gadowski,Patrycja Gola,Anna Maria Jopek,Halina Jawar,Kayah,Paweł Kukiz,Grzegorz Markowski,Maryla Rodowicz,Irene Santor,Grzegorz Skawiński\Unknown Album 0 bytes File C:\Users\KSIĘGOWA\Music\BearShare\Felicjan Andrzejczak,Małgorzata Bendarz,Monika Brodka,Krzysztof Cugowski,Piotr i Wojtek Cugowscy,Ewelina Flinta,Artur Gadowski,Patrycja Gola,Anna Maria Jopek,Halina Jawar,Kayah,Paweł Kukiz,Grzegorz Markowski,Maryla Rodowicz,Irene Santor,Grzegorz Skawiński\Unknown Album\01 Pokonamy fale.wma 5083132 bytes File C:\## aswSnx private storage 0 bytes File C:\## aswSnx private storage\r112 0 bytes File C:\## aswSnx private storage\snx_rhive 262144 bytes File C:\## aswSnx private storage\snx_rhive.LOG1 13312 bytes File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes File C:\## aswSnx private storage\snx_rhive{8bec4fb8-5c78-11e1-9ac7-000000000004}.TM.blf 65536 bytes File C:\## aswSnx private storage\snx_rhive{8bec4fb8-5c78-11e1-9ac7-000000000004}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\## aswSnx private storage\snx_rhive{8bec4fb8-5c78-11e1-9ac7-000000000004}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\## aswSnx private storage\webStorage 0 bytes File C:\## aswSnx private storage\webStorage\attrib 0 bytes File C:\## aswSnx private storage\webStorage\image 0 bytes File C:\## aswSnx private storage\webStorage\snx_fs.dat 180 bytes ---- EOF - GMER 1.0.15 ----