GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-24 14:53:42 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_HD501LJ rev.CR100-12 Running: gmer.exe; Driver: C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\pxtdqpow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xABF8CFC4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAC019510] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xABFB06A9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xABF8F456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xABF8F4AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xABF8F5C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xABFB005D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xABF8F3AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xABF8F4FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xABF8F400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xABF8F572] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xABF8CFE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xABFB0D6F] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xABFB1025] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xABF8F848] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xABFB0BDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xABFB0A45] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAC0195C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xABF8CDB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xABF8D00C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xABF8F9BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xABF8DAA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xABF8F486] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xABF8F4D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xABF8F5EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xABFB03B9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xABF8F3D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xABF8F680] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xABF8F53E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xABF8F42E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xABF8F764] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xABF8F59C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAC019658] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xABFB08C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xABF8D96A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xABFB0712] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAC0219E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xABFAF6D0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xABF8D030] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xABF8D054] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xABF8CE0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xABF8CF48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xABFB0E76] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xABF8CF24] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xABF8CF6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xABF8D078] INT 0x62 ? 89D5CBF8 INT 0x73 ? 89D5CBF8 INT 0x73 ? 89D5CBF8 INT 0x73 ? 89BE6BF8 INT 0x73 ? 89D5CBF8 INT 0xB4 ? 89BE6BF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAC02D7A2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C80 80503A54 4 Bytes [E8, CF, F8, AB] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F7C 4 Bytes CALL ABF8E00F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAF96 5 Bytes JMP AC02A69C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805C18CC 5 Bytes JMP AC02C15C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA2A 7 Bytes JMP AC02D7A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? spdr.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B90A162C 5 Bytes JMP 89BE61D8 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB88D2000, 0x2A1A98, 0xE8000020] .text ay7w5yxu.SYS B8884386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text ay7w5yxu.SYS B88843AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ay7w5yxu.SYS B88843C4 3 Bytes [00, 80, 02] .text ay7w5yxu.SYS B88843C9 1 Byte [30] .text ay7w5yxu.SYS B88843C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E8D5 5 Bytes JMP ABF8FAD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 4EF BF8314C2 4 Bytes JMP ABF8FB9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + E062 BF84CC93 4 Bytes JMP ABF8FC0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 413A BF88D228 4 Bytes JMP ABF8FF76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 402E BF8B468F 4 Bytes JMP ABF8FDE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 40B9 BF8B471A 5 Bytes JMP ABF8FFBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 9AB1 BF8BA112 4 Bytes JMP ABF8FABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 3E8 BF8C3205 5 Bytes JMP ABF8FCA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 503B BF8EDCD3 4 Bytes JMP ABF8FD14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 52BB BF8EDF53 5 Bytes JMP ABF8FD4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 74EC BF8F0184 4 Bytes JMP ABF8F9F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 19C1 BF9126DA 5 Bytes JMP ABF8FB56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2595 BF9132AE 4 Bytes JMP ABF8FC6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4EF4 BF915C0D 5 Bytes JMP ABF900D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[188] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[188] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[188] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[188] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[188] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[188] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[188] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[188] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\logonui.exe[408] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000A01F8 .text C:\WINDOWS\system32\logonui.exe[408] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\logonui.exe[408] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\logonui.exe[408] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00311014 .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00310C0C .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00310E10 .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\logonui.exe[408] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\logonui.exe[408] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00320A08 .text C:\WINDOWS\system32\logonui.exe[408] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00320804 .text C:\WINDOWS\system32\logonui.exe[408] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00320600 .text C:\WINDOWS\system32\logonui.exe[408] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003201F8 .text C:\WINDOWS\system32\logonui.exe[408] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003203FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003E1014 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003E0804 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003E0A08 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003E0C0C .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003E0E10 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003E01F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003E03FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003E0600 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003F0A08 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003F0804 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003F0600 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003F01F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[428] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003F03FC .text C:\WINDOWS\System32\smss.exe[568] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\Program Files\Java\jre6\bin\jqs.exe[596] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003E1014 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003E0804 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003E0A08 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003E0C0C .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003E0E10 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003E01F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003E03FC .text C:\Program Files\Java\jre6\bin\jqs.exe[596] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003E0600 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003F0A08 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003F0804 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003F0600 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003F01F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[596] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003F03FC .text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000701F8 .text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000703FC .text C:\WINDOWS\system32\winlogon.exe[668] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\winlogon.exe[668] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\winlogon.exe[668] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\winlogon.exe[668] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\winlogon.exe[668] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\winlogon.exe[668] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\winlogon.exe[668] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\services.exe[712] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\services.exe[712] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\services.exe[712] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\services.exe[712] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\services.exe[712] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\services.exe[712] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\services.exe[712] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\services.exe[712] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\services.exe[712] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\services.exe[712] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\lsass.exe[724] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\lsass.exe[724] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\lsass.exe[724] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\lsass.exe[724] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\lsass.exe[724] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\lsass.exe[724] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\lsass.exe[724] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[876] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\Ati2evxx.exe[884] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\WINDOWS\system32\Ati2evxx.exe[884] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[884] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\WINDOWS\system32\Ati2evxx.exe[884] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[884] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003E0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[884] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003E0804 .text C:\WINDOWS\system32\Ati2evxx.exe[884] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003E0600 .text C:\WINDOWS\system32\Ati2evxx.exe[884] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003E01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[884] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003E03FC .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003F1014 .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003F0804 .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003F0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003F0C0C .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003F0E10 .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003F01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003F03FC .text C:\WINDOWS\system32\Ati2evxx.exe[884] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003F0600 .text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\WINDOWS\system32\Ati2evxx.exe[1040] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1040] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003E0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003E0804 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003E0600 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003E01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003E03FC .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003F1014 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003F0804 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003F0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003F0C0C .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003F0E10 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003F01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003F03FC .text C:\WINDOWS\system32\Ati2evxx.exe[1040] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003F0600 .text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\wdfmgr.exe[1188] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000801F8 .text C:\WINDOWS\system32\wdfmgr.exe[1188] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[1188] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000803FC .text C:\WINDOWS\system32\wdfmgr.exe[1188] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00311014 .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00310C0C .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00310E10 .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\wdfmgr.exe[1188] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\wdfmgr.exe[1188] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00320A08 .text C:\WINDOWS\system32\wdfmgr.exe[1188] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00320804 .text C:\WINDOWS\system32\wdfmgr.exe[1188] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00320600 .text C:\WINDOWS\system32\wdfmgr.exe[1188] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003201F8 .text C:\WINDOWS\system32\wdfmgr.exe[1188] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003203FC .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\WINDOWS\system32\Ati2evxx.exe[1428] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1428] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003E0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003E0804 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003E0600 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003E01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003E03FC .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003F1014 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003F0804 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003F0A08 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003F0C0C .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003F0E10 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003F01F8 .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003F03FC .text C:\WINDOWS\system32\Ati2evxx.exe[1428] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003F0600 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 009C1014 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 009C0804 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 009C0A08 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 009C0C0C .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 009C0E10 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 009C01F8 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 009C03FC .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 009C0600 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 009D0A08 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 009D0804 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 009D0600 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 009D01F8 .text C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\Rar$EX00.813\gmer.exe[1780] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 009D03FC .text C:\WINDOWS\system32\spoolsv.exe[2012] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\spoolsv.exe[2012] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[2012] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\spoolsv.exe[2012] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\spoolsv.exe[2012] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\spoolsv.exe[2012] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\spoolsv.exe[2012] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\spoolsv.exe[2012] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\spoolsv.exe[2012] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\spoolsv.exe[2012] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\Program Files\WinRAR\WinRAR.exe[2184] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\Program Files\WinRAR\WinRAR.exe[2184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\WinRAR\WinRAR.exe[2184] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\Program Files\WinRAR\WinRAR.exe[2184] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003E1014 .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003E0804 .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003E0A08 .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003E0C0C .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003E0E10 .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!CreateServiceA 77E270B9 5 Bytes JMP 003E01F8 .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!CreateServiceW 77E27251 5 Bytes JMP 003E03FC .text C:\Program Files\WinRAR\WinRAR.exe[2184] ADVAPI32.DLL!DeleteService 77E27359 5 Bytes JMP 003E0600 .text C:\Program Files\WinRAR\WinRAR.exe[2184] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003F0A08 .text C:\Program Files\WinRAR\WinRAR.exe[2184] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003F0804 .text C:\Program Files\WinRAR\WinRAR.exe[2184] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003F0600 .text C:\Program Files\WinRAR\WinRAR.exe[2184] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003F01F8 .text C:\Program Files\WinRAR\WinRAR.exe[2184] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003F03FC .text C:\WINDOWS\System32\alg.exe[2256] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\alg.exe[2256] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2256] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\alg.exe[2256] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2256] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\alg.exe[2256] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\alg.exe[2256] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\alg.exe[2256] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\alg.exe[2256] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00311014 .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00310804 .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00310A08 .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00310C0C .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00310E10 .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\alg.exe[2256] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00310600 .text C:\WINDOWS\Explorer.EXE[2924] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\Explorer.EXE[2924] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2924] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00311014 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00310804 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00310A08 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00310C0C .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00310E10 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003101F8 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003103FC .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00310600 .text C:\WINDOWS\Explorer.EXE[2924] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00320A08 .text C:\WINDOWS\Explorer.EXE[2924] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00320804 .text C:\WINDOWS\Explorer.EXE[2924] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00320600 .text C:\WINDOWS\Explorer.EXE[2924] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003201F8 .text C:\WINDOWS\Explorer.EXE[2924] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003203FC .text C:\Program Files\AVAST Software\Avast\avastUI.exe[3132] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[3132] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\logon.scr[3240] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000801F8 .text C:\WINDOWS\system32\logon.scr[3240] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\logon.scr[3240] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000803FC .text C:\WINDOWS\system32\logon.scr[3240] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\logon.scr[3240] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\logon.scr[3240] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\logon.scr[3240] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\logon.scr[3240] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\logon.scr[3240] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00321014 .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00320804 .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00320A08 .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00320C0C .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00320E10 .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003201F8 .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003203FC .text C:\WINDOWS\system32\logon.scr[3240] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00320600 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3480] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001501F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 001503FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 003E0A08 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 003E0804 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 003E0600 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003E01F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003E03FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 003F1014 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 003F0804 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 003F0A08 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 003F0C0C .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 003F0E10 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003F01F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003F03FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[3624] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 003F0600 .text C:\WINDOWS\system32\ctfmon.exe[3652] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000A01F8 .text C:\WINDOWS\system32\ctfmon.exe[3652] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[3652] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\ctfmon.exe[3652] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00381014 .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00380804 .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00380A08 .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00380C0C .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00380E10 .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003801F8 .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003803FC .text C:\WINDOWS\system32\ctfmon.exe[3652] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00380600 .text C:\WINDOWS\system32\ctfmon.exe[3652] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00390A08 .text C:\WINDOWS\system32\ctfmon.exe[3652] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00390804 .text C:\WINDOWS\system32\ctfmon.exe[3652] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00390600 .text C:\WINDOWS\system32\ctfmon.exe[3652] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003901F8 .text C:\WINDOWS\system32\ctfmon.exe[3652] USER32.dll!UnhookWinEvent 7E38186C 3 Bytes JMP 003903FC .text C:\WINDOWS\system32\ctfmon.exe[3652] USER32.dll!UnhookWinEvent + 4 7E381870 1 Byte [82] .text C:\WINDOWS\system32\csrss.exe[3768] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[3768] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[3848] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000701F8 .text C:\WINDOWS\system32\winlogon.exe[3848] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[3848] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000703FC .text C:\WINDOWS\system32\winlogon.exe[3848] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\winlogon.exe[3848] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\winlogon.exe[3848] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\winlogon.exe[3848] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\winlogon.exe[3848] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\winlogon.exe[3848] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\winlogon.exe[3848] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\rdpclip.exe[3996] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\rdpclip.exe[3996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\rdpclip.exe[3996] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\rdpclip.exe[3996] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\rdpclip.exe[3996] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\rdpclip.exe[3996] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\rdpclip.exe[3996] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\rdpclip.exe[3996] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\rdpclip.exe[3996] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\rdpclip.exe[3996] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 003103FC ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spdr.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spdr.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spdr.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spdr.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spdr.sys IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!READ_PORT_UCHAR] B48B8932 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!KeGetCurrentIrql] 89000001 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!KfRaiseIrql] 0001C083 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!KfLowerIrql] 24468B00 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!HalGetInterruptVector] 89820C8D IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!KfReleaseSpinLock] 000000BD IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 020CB389 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!READ_PORT_USHORT] 83660000 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00 IAT \SystemRoot\System32\Drivers\ay7w5yxu.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[712] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00630002 IAT C:\WINDOWS\system32\services.exe[712] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00630000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 89D5B1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbohci \Device\USBPDO-0 89BCF1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DCE1F8 Device \Driver\dmio \Device\DmControl\DmConfig 89DCE1F8 Device \Driver\dmio \Device\DmControl\DmPnP 89DCE1F8 Device \Driver\dmio \Device\DmControl\DmInfo 89DCE1F8 Device \Driver\usbehci \Device\USBPDO-1 89BCE1F8 Device \Driver\PCI_PNP8112 \Device\00000048 spdr.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{D14D2A9C-CEA2-4127-A2A1-50F5A495E383} 8883A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89D5D1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89D5D1F8 Device \Driver\Cdrom \Device\CdRom0 89BED1F8 Device \Driver\atapi \Device\Ide\IdePort0 89D5C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89D5C1F8 Device \Driver\atapi \Device\Ide\IdePort1 89D5C1F8 Device \Driver\atapi \Device\Ide\IdePort2 89D5C1F8 Device \Driver\atapi \Device\Ide\IdePort3 89D5C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 89D5C1F8 Device \Driver\Cdrom \Device\CdRom1 89BED1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8883A1F8 Device \Driver\NetBT \Device\NetbiosSmb 8883A1F8 Device \Driver\sptd \Device\2781276862 spdr.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbohci \Device\USBFDO-0 89BCF1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{5F2581C3-C2BA-4A3E-8DB5-36C870CCD683} 8883A1F8 Device \Driver\usbehci \Device\USBFDO-1 89BCE1F8 Device \Driver\Ftdisk \Device\FtControl 89D5D1F8 Device \Driver\ay7w5yxu \Device\Scsi\ay7w5yxu1 8994A500 Device \Driver\ay7w5yxu \Device\Scsi\ay7w5yxu1Port4Path0Target0Lun0 8994A500 Device \FileSystem\Cdfs \Cdfs 898B5500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0xCA 0x07 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x17 0x99 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xB0 0x08 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD1 0x3E 0x2F 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x92 0x2E 0xCC 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x87 0x68 0x5F 0x8A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0xCA 0x07 0x50 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x17 0x99 0x34 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xB0 0x08 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD1 0x3E 0x2F 0x6C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x92 0x2E 0xCC 0x72 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x87 0x68 0x5F 0x8A ... ---- Files - GMER 1.0.15 ---- File C:\## aswSnx private storage 0 bytes File C:\## aswSnx private storage\r4 0 bytes File C:\## aswSnx private storage\snx_rhive 262144 bytes File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes ---- EOF - GMER 1.0.15 ----