GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-17 23:58:54 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST912082 rev.3.AL Running: 5u6cdqdn.exe; Driver: C:\Users\Ryszard\AppData\Local\Temp\kwriqfow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8D8244BA] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwAllocateVirtualMemory [0xACF5F544] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8D824ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8D82FFA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8D82FFF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8D830176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8D82FF16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8D1A2FA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8D82FF5E] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwCreateThread [0xACF61CD0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8D830130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8D82593E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8D824508] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwFreeVirtualMemory [0xACF5F8C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8D1A13EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8D824556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8D829534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8D8263A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8D82FFD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8D830016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8D83019A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8D82FF3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8D8300BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8D82FF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8D830154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8D1A2E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8D826272] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwQueueApcThread [0xACF61E62] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8D8245A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8D8245F2] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwSetContextThread [0xACF61F02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8D8241FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8D8243AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8D824350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8D825AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8D825C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8D82441A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8D1A2EFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8D825636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x8D1A141C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8D824640] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwWriteVirtualMemory [0xACF5FA06] SSDT \??\C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys ZwCreateThreadEx [0xACF61E0C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D1BBE56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetTimerEx + 340 824C6964 4 Bytes [BA, 44, 82, 8D] .text ntkrnlpa.exe!KeSetTimerEx + 364 824C6988 4 Bytes [44, F5, F5, AC] {INC ESP; CMC ; CMC ; LODSB } .text ntkrnlpa.exe!KeSetTimerEx + 3C4 824C69E8 4 Bytes [D6, 4E, 82, 8D] .text ntkrnlpa.exe!KeSetTimerEx + 404 824C6A28 8 Bytes [A8, FF, 82, 8D, F4, FF, 82, ...] .text ntkrnlpa.exe!KeSetTimerEx + 410 824C6A34 4 Bytes [76, 01, 83, 8D] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 825EDD5E 5 Bytes JMP 8D1B8CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8262A666 4 Bytes CALL 8D826A8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82639FC9 4 Bytes CALL 8D826AA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82656872 5 Bytes JMP 8D1BA810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 826A2776 7 Bytes JMP 8D1BBE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? C:\Users\Ryszard\AppData\Local\Temp\3C6DAA2A11.sys Nie można odnaleźć określonego pliku. ! ? C:\Users\Ryszard\AppData\Local\Temp\3D963A32E8.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\igfxsrvc.exe[312] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[540] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\csrss.exe[576] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\wininit.exe[632] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\csrss.exe[644] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text ... .text C:\Windows\system32\wbem\wmiprvse.exe[848] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[848] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[848] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\wbem\wmiprvse.exe[848] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\wmiprvse.exe[848] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\wbem\wmiprvse.exe[848] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\wbem\wmiprvse.exe[848] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\wbem\wmiprvse.exe[848] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\wbem\wmiprvse.exe[848] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001703FC .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00170600 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00171014 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00170804 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00170A08 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00170C0C .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00170E10 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001701F8 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Users\Ryszard\Desktop\5u6cdqdn.exe[868] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Windows\system32\taskeng.exe[876] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\igfxext.exe[1064] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxext.exe[1064] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxext.exe[1064] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\igfxext.exe[1064] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxext.exe[1064] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxext.exe[1064] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxext.exe[1064] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxext.exe[1064] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxext.exe[1064] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001801F8 .text C:\Windows\System32\svchost.exe[1096] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[1172] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[1248] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[1276] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text ... .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00181014 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00180C0C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00180E10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!SetWindowsHookExW 768D7B69 3 Bytes JMP 00190804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!SetWindowsHookExW + 4 768D7B6D 1 Byte [89] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!SetWinEventHook 768D915C 3 Bytes JMP 001901F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!SetWinEventHook + 4 768D9160 1 Byte [89] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001903FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00190600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1444] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00190A08 .text C:\Windows\system32\svchost.exe[1532] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1724] kernel32.dll!SetUnhandledExceptionFilter 7672700D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1724] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1792] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\Explorer.EXE[1828] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Windows Defender\MSASCui.exe[1924] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\RtHDVCpl.exe[1940] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text ... .text C:\Windows\system32\wuauclt.exe[2028] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000B01F8 .text C:\Windows\system32\wuauclt.exe[2028] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000B03FC .text C:\Windows\system32\wuauclt.exe[2028] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[2028] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 000C0804 .text C:\Windows\system32\wuauclt.exe[2028] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wuauclt.exe[2028] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000C03FC .text C:\Windows\system32\wuauclt.exe[2028] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 000C0600 .text C:\Windows\system32\wuauclt.exe[2028] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000D03FC .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 000D0600 .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 000D1014 .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 000D0804 .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 000D0A08 .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 000D0C0C .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 000D0E10 .text C:\Windows\system32\wuauclt.exe[2028] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000D01F8 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2036] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2076] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2124] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[2144] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe[2196] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text ... .text C:\Program Files\Launch Manager\LManager.exe[2596] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Program Files\Launch Manager\LManager.exe[2596] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Program Files\Launch Manager\LManager.exe[2596] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Launch Manager\LManager.exe[2596] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00170804 .text C:\Program Files\Launch Manager\LManager.exe[2596] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001701F8 .text C:\Program Files\Launch Manager\LManager.exe[2596] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001703FC .text C:\Program Files\Launch Manager\LManager.exe[2596] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00170600 .text C:\Program Files\Launch Manager\LManager.exe[2596] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00170A08 .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001903FC .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00190600 .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00191014 .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00190804 .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00190A08 .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00190C0C .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00190E10 .text C:\Program Files\Launch Manager\LManager.exe[2596] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001901F8 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2616] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Users\Ryszard\AppData\Local\Temp\RtkBtMnt.exe[2672] kernel32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000501F8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000503FC .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000603FC .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00060600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00061014 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00060804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00060A08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00060C0C .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00060E10 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000601F8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00070804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000701F8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000703FC .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00070600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3016] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00070A08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000A01F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000A03FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000B03FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 000B0600 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 000B1014 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 000B0804 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 000B0A08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 000B0C0C .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 000B0E10 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000B01F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 000D0804 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000D01F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000D03FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 000D0600 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3192] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 000D0A08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000E01F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000E03FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000F03FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 000F0600 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 000F1014 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 000F0804 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 000F0A08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 000F0C0C .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 000F0E10 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000F01F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00100804 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001001F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001003FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00100600 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3216] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00100A08 .text C:\Windows\system32\svchost.exe[3240] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3240] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3240] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[3240] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[3240] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 000D0804 .text C:\Windows\system32\svchost.exe[3240] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000D01F8 .text C:\Windows\system32\svchost.exe[3240] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000D03FC .text C:\Windows\system32\svchost.exe[3240] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 000D0600 .text C:\Windows\system32\svchost.exe[3240] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 000D0A08 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Windows\system32\wbem\unsecapp.exe[3256] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001703FC .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00170600 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00171014 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00170804 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00170A08 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00170C0C .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00170E10 .text C:\Windows\system32\wbem\unsecapp.exe[3256] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001701F8 .text C:\Windows\system32\wbem\unsecapp.exe[3256] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Windows\system32\wbem\unsecapp.exe[3256] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Windows\system32\wbem\unsecapp.exe[3256] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Windows\system32\wbem\unsecapp.exe[3256] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Windows\system32\wbem\unsecapp.exe[3256] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Windows\System32\svchost.exe[3372] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[3372] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[3372] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[3372] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[3400] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3400] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3400] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[3400] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[3400] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[3400] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[3400] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\SearchIndexer.exe[3400] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[3400] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001501F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001503FC .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001603FC .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00160600 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00161014 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00160804 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00160A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00160C0C .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00160E10 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001601F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00170804 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001701F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001703FC .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00170600 .text C:\Windows\system32\DRIVERS\xaudio.exe[3456] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00170A08 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000501F8 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000503FC .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000603FC .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00060600 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00061014 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00060804 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00060A08 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00060C0C .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00060E10 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000601F8 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00070804 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000701F8 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000703FC .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00070600 .text C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe[3468] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00070A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[3788] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\wbem\wmiprvse.exe[3788] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\wbem\wmiprvse.exe[3788] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Windows\system32\igfxsrvc.exe[3800] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[3800] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[3800] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[3800] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxsrvc.exe[3800] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[3800] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxsrvc.exe[3800] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxsrvc.exe[3800] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxsrvc.exe[3800] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001801F8 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001501F8 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001503FC .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001603FC .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00160600 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00161014 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00160804 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00160A08 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00160C0C .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00160E10 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001601F8 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00170804 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001701F8 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001703FC .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00170600 .text C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe[3872] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00170A08 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001703FC .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00170600 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00171014 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00170804 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00170A08 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00170C0C .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00170E10 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001701F8 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Acer\Empowering Technology\ePower\ePowerSvc.exe[4076] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 000B0804 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000B01F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000B03FC .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 000B0600 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 000B0A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000C03FC .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 000C0600 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 000C1014 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 000C0804 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 000C0A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 000C0C0C .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 000C0E10 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[4812] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000C01F8 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001701F8 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001703FC .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001903FC .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00190600 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00191014 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00190804 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00190A08 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00190C0C .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00190E10 .text C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE[4844] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001901F8 .text C:\Windows\system32\conime.exe[4916] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000501F8 .text C:\Windows\system32\conime.exe[4916] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000503FC .text C:\Windows\system32\conime.exe[4916] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000603FC .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00060600 .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00061014 .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00060804 .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00060A08 .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00060C0C .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00060E10 .text C:\Windows\system32\conime.exe[4916] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000601F8 .text C:\Windows\system32\conime.exe[4916] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00090804 .text C:\Windows\system32\conime.exe[4916] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000901F8 .text C:\Windows\system32\conime.exe[4916] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000903FC .text C:\Windows\system32\conime.exe[4916] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00090600 .text C:\Windows\system32\conime.exe[4916] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00090A08 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001701F8 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001703FC .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 002D03FC .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 002D0600 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 002D1014 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 002D0804 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 002D0A08 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 002D0C0C .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 002D0E10 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 002D01F8 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 002E0804 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 002E01F8 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 002E03FC .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 002E0600 .text C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE[5444] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 002E0A08 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001701F8 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001703FC .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001903FC .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00190600 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00191014 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00190804 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00190A08 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00190C0C .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00190E10 .text C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE[5700] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001901F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001701F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001703FC .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001903FC .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00190600 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00191014 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00190804 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00190A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00190C0C .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00190E10 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[6036] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001901F8 .text C:\Windows\system32\consent.exe[6052] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\consent.exe[6052] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\consent.exe[6052] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\consent.exe[6052] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\consent.exe[6052] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\consent.exe[6052] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\consent.exe[6052] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\consent.exe[6052] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\consent.exe[6052] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00070804 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000701F8 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000703FC .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!GetScrollPos 768DC090 5 Bytes JMP 071F66D0 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!GetScrollRange 768DC33B 5 Bytes JMP 071F6750 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!SetScrollRange 768DE173 5 Bytes JMP 071F6900 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!GetScrollInfo 768E0804 7 Bytes JMP 071F6650 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!ShowScrollBar 768E0E7C 5 Bytes JMP 071F69A0 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!SetScrollInfo 768E8663 7 Bytes JMP 071F67E0 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!EnableScrollBar 768FB11E 7 Bytes JMP 071F65D0 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00070600 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00070A08 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] USER32.dll!SetScrollPos 76903A1E 5 Bytes JMP 071F6870 C:\Acer\Empowering Technology\ScrollBarLib.dll .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000803FC .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00080600 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00081014 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00080804 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00080A08 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00080C0C .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00080E10 .text C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE[6056] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000801F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 62E94470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] KERNEL32.dll!HeapSetInformation + 26 76727008 7 Bytes JMP 62E9F972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] KERNEL32.dll!LockResource + C 7674813B 7 Bytes JMP 630E0459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] KERNEL32.dll!VirtualAllocEx + 54 7674BA7A 7 Bytes JMP 630E047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00070804 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000701F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000703FC .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] USER32.dll!GetWindowInfo 768E0560 5 Bytes JMP 63002157 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00070600 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00070A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] GDI32.dll!StretchDIBits + 179 76B675BB 7 Bytes JMP 630E03DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000803FC .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00080600 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00081014 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00080804 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00080A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00080C0C .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00080E10 .text C:\Program Files\Mozilla Firefox\firefox.exe[6176] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000801F8 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Users\Ryszard\Desktop\OTL.exe[6360] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Users\Ryszard\Desktop\OTL.exe[6360] user32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00180804 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] user32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001801F8 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] user32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001803FC .text C:\Users\Ryszard\Desktop\OTL.exe[6360] user32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00180600 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] user32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00180A08 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001903FC .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00190600 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00191014 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00190804 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00190A08 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00190C0C .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00190E10 .text C:\Users\Ryszard\Desktop\OTL.exe[6360] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001901F8 .text C:\Windows\system32\LogonUI.exe[6536] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\LogonUI.exe[6536] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\LogonUI.exe[6536] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\LogonUI.exe[6536] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\LogonUI.exe[6536] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\LogonUI.exe[6536] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\LogonUI.exe[6536] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\LogonUI.exe[6536] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000903FC .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00090600 .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00091014 .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00090804 .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00090A08 .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00090C0C .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00090E10 .text C:\Windows\system32\LogonUI.exe[6536] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000901F8 .text C:\Windows\notepad.exe[6792] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\notepad.exe[6792] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\notepad.exe[6792] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\notepad.exe[6792] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\notepad.exe[6792] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\notepad.exe[6792] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\notepad.exe[6792] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\notepad.exe[6792] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\notepad.exe[6792] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Windows\notepad.exe[6824] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\notepad.exe[6824] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\notepad.exe[6824] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\notepad.exe[6824] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\notepad.exe[6824] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\notepad.exe[6824] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\notepad.exe[6824] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\notepad.exe[6824] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\notepad.exe[6824] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 001601F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 001603FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00170804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 001701F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 001703FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00170600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00170A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 001803FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!DeleteService 76DE3BEE 5 Bytes JMP 00180600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00181014 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00180804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00180A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00180C0C .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00180E10 .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[7660] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 001801F8 .text C:\Windows\system32\Taskmgr.exe[7980] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\Taskmgr.exe[7980] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\Taskmgr.exe[7980] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\Taskmgr.exe[7980] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\Taskmgr.exe[7980] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\Taskmgr.exe[7980] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\Taskmgr.exe[7980] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\Taskmgr.exe[7980] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\Taskmgr.exe[7980] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[8148] ntdll.dll!LdrLoadDll 77A779B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[8148] ntdll.dll!LdrUnloadDll 77A8E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[8148] KERNEL32.dll!GetBinaryTypeW + 70 76751CE8 1 Byte [62] .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!CreateServiceW 76DE38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!DeleteService 76DE3BEE 3 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!DeleteService + 4 76DE3BF2 1 Byte [89] .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!SetServiceObjectSecurity 76E266A9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!ChangeServiceConfigA 76E267A9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!ChangeServiceConfigW 76E26951 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!ChangeServiceConfig2A 76E26A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!ChangeServiceConfig2W 76E26BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[8148] ADVAPI32.dll!CreateServiceA 76E26C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[8148] USER32.dll!SetWindowsHookExW 768D7B69 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[8148] USER32.dll!SetWinEventHook 768D915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[8148] USER32.dll!UnhookWinEvent 768DB702 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[8148] USER32.dll!SetWindowsHookExA 768FBB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[8148] USER32.dll!UnhookWindowsHookEx 769008BE 5 Bytes JMP 00080A08 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[648] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [733CF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\system32\services.exe[676] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00140002 IAT C:\Windows\system32\services.exe[676] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00140000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1724] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [733CF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs AE68B740 Device \FileSystem\Ntfs \Ntfs 84DF2F58 Device \FileSystem\Ntfs \Ntfs 84F4B178 Device \FileSystem\Ntfs \Ntfs 874EF7E0 Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 8512B2E0 Device \FileSystem\Ntfs \Ntfs 872B6F88 Device \FileSystem\Ntfs \Ntfs 87700710 AttachedDevice \FileSystem\Ntfs \Ntfs 3C6DAA2A11.sys Device \FileSystem\fastfat \FatCdrom 87A2E2C0 Device \FileSystem\fastfat \FatCdrom 87440CF0 Device \FileSystem\fastfat \FatCdrom 84B26060 Device \FileSystem\fastfat \FatCdrom 84ECE1B0 Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\fastfat \FatCdrom 8634E380 Device \FileSystem\fastfat \FatCdrom 878B2850 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \FileSystem\519F9319C70C26EC \Device\519F9319C70C26EC 3C6DAA2A11.sys Device \FileSystem\fastfat \Fat 87A2E2C0 Device \FileSystem\fastfat \Fat 87440CF0 Device \FileSystem\fastfat \Fat 84B26060 Device \FileSystem\fastfat \Fat 84ECE1B0 Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\fastfat \Fat 8634E380 Device \FileSystem\fastfat \Fat 878B2850 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat 3C6DAA2A11.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???f????? ???????f???????????1????????????????#oad???f??? ???????f?????f?????1??????????,???@??????????????????????????????????????f????? ???????f???????????1??????????????????????? ???????*???????????=?*??????????48&????????????????????f??? ???????e???????f???5????d??f?????f#???? ???????f?????f?????1??????????,???@??????????????????????????????????????f???e???f???f???f???f???f???f?????????????f??? ???????f???????????1??????????????????????isatap.{5CC00B90-C6F0-47E8-AA76-8517B41B4D72}????????f???5??????????B4???????f???5???e?????f#???? ???????e?????f????????????????????&???????????????????????? ???????f?????f?????1??????????:???G???????????????????????????????????????? p??f???f????????????$??f???f???????f??3D963A32E8???f???f?????????????????f????? ???????f???????????1????????????????#ixe????????????????????????????????????????6???????????5?????????????????????3??????????????????????????f#???? ???????f?????f?????1??????????2???C??????????????????????????????????}?????????????f??????????? P??f????????????????? ---- EOF - GMER 1.0.15 ----