GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-19 19:20:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS547564A9E384 rev.JEDOA60B 596,17GB Running: 6g1h9y6t.exe; Driver: C:\Users\Konrad\AppData\Local\Temp\uwloafob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1660] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Windows\system32\svchost.exe[2108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\dmwu.exe[2188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2672] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075cb1465 2 bytes [CB, 75] .text C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075cb14bb 2 bytes [CB, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3172] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010037075c .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010037163c .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100371284 .text C:\Windows\system32\taskeng.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001003719f4 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4332] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010019163c .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001001919f4 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Windows\system32\SearchIndexer.exe[4508] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010033075c .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001003303a4 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100330b14 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100330ecc .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010033163c .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100331284 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001003319f4 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe[5576] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5744] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 00000001002d075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002d03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 00000001002d0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 00000001002d0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 00000001002d163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 00000001002d1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002d19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4548] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077a8fa20 5 bytes JMP 0000000107d26390 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077a8fd78 5 bytes JMP 0000000107d26640 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a90048 5 bytes JMP 0000000107d253d0 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 0000000107d25300 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!CreateFileW 0000000076f83f3c 5 bytes JMP 0000000107d21290 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!CreateFileA 0000000076f853ae 5 bytes JMP 0000000107d211c0 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!MoveFileW 0000000076f99ad8 5 bytes JMP 0000000107d22570 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!CopyFileA 0000000076fa58cd 5 bytes JMP 0000000107d21000 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!CopyFileW 0000000076fa82f5 5 bytes JMP 0000000107d210a0 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\KERNEL32.dll!MoveFileA 0000000076ffd929 5 bytes JMP 0000000107d22510 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001003c01f8 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001003c03fc .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 00000001003c0804 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 00000001003c0600 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 00000001003c0a08 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075c74889 5 bytes JMP 0000000107d21d10 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\WS2_32.dll!send 0000000075c76f01 5 bytes JMP 0000000107d27250 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000075ab632d 5 bytes JMP 0000000107d22160 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000075acf6c6 5 bytes JMP 0000000107d223a0 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[5180] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000075ae525a 5 bytes JMP 0000000107d220a0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010021075c .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002103a4 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100210b14 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100210ecc .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010021163c .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100211284 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002119f4 .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010037075c .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001003703a4 .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100370b14 .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100370ecc .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010037163c .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100371284 .text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001003719f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5440] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077a8fa20 5 bytes JMP 0000000100776390 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077a8fd78 5 bytes JMP 0000000100776640 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a90048 5 bytes JMP 00000001007753d0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 0000000100775300 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!CreateFileW 0000000076f83f3c 5 bytes JMP 0000000100771290 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!CreateFileA 0000000076f853ae 5 bytes JMP 00000001007711c0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!MoveFileW 0000000076f99ad8 5 bytes JMP 0000000100772570 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!CopyFileA 0000000076fa58cd 5 bytes JMP 0000000100771000 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!CopyFileW 0000000076fa82f5 5 bytes JMP 00000001007710a0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\KERNEL32.dll!MoveFileA 0000000076ffd929 5 bytes JMP 0000000100772510 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe[600] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010029075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002903a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100290b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100290ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010029163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100291284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002919f4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077a8fa20 5 bytes JMP 00000001030b6390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077a8fd78 5 bytes JMP 00000001030b6640 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a90048 5 bytes JMP 00000001030b53d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001030b5300 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075632da4 5 bytes JMP 000000016cb69ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007564cbf3 5 bytes JMP 000000016ccb8f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007564cfca 5 bytes JMP 000000016cac1893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007566cb0c 5 bytes JMP 000000016ccb8ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007566ce64 5 bytes JMP 000000016ccb8f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007567fbd1 5 bytes JMP 000000016ccb8e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007567fc9d 5 bytes JMP 000000016ccb8ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007567fcd6 5 bytes JMP 000000016ccb8d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007567fcfa 5 bytes JMP 000000016ccb8d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000075ab632d 5 bytes JMP 00000001030b2160 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000075acf6c6 5 bytes JMP 00000001030b23a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000075ae525a 5 bytes JMP 00000001030b20a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007183388e 5 bytes JMP 000000016ccb9000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4464] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000718d7922 5 bytes JMP 000000016ccb90a8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077a8fa20 5 bytes JMP 0000000100096390 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 00000001000e0c0c .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077a8fd78 5 bytes JMP 0000000100096640 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a90048 5 bytes JMP 00000001000953d0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 00000001000e0e10 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 0000000100095300 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CreateFileW 0000000076f83f3c 5 bytes JMP 0000000100091290 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CreateFileA 0000000076f853ae 5 bytes JMP 00000001000911c0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!MoveFileW 0000000076f99ad8 5 bytes JMP 0000000100092570 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CopyFileA 0000000076fa58cd 5 bytes JMP 0000000100091000 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!CopyFileW 0000000076fa82f5 5 bytes JMP 00000001000910a0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\KERNEL32.dll!MoveFileA 0000000076ffd929 5 bytes JMP 0000000100092510 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[5024] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077a8fa20 5 bytes JMP 00000001001e6390 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077a8fd78 5 bytes JMP 00000001001e6640 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077a90048 5 bytes JMP 00000001001e53d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001001e5300 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!CreateFileW 0000000076f83f3c 5 bytes JMP 00000001001e1290 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!CreateFileA 0000000076f853ae 5 bytes JMP 00000001001e11c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!MoveFileW 0000000076f99ad8 5 bytes JMP 00000001001e2570 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!CopyFileA 0000000076fa58cd 5 bytes JMP 00000001001e1000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!CopyFileW 0000000076fa82f5 5 bytes JMP 00000001001e10a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2844] C:\Windows\syswow64\KERNEL32.dll!MoveFileA 0000000076ffd929 5 bytes JMP 00000001001e2510 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 00000001002b075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002b03a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 00000001002b0b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 00000001002b0ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 00000001002b163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 00000001002b1284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[6488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002b19f4 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759b5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759b5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759b53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759b54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759b55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759b567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759b589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4572] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759b5a22 5 bytes JMP 0000000100260600 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text c:\Program Files (x86)\Nero\Update\NASvc.exe[6252] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 00000001002a075c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002a03a4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 00000001002a0b14 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 00000001002a0ecc .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 00000001002a163c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 00000001002a1284 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002a19f4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[7472] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010029075c .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010029163c .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100291284 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002919f4 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Windows\system32\taskeng.exe[6740] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010015075c .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001001503a4 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100150b14 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100150ecc .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010015163c .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100151284 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001001519f4 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Windows\System32\svchost.exe[10160] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000077798550 5 bytes JMP 000000010020075c .text C:\Windows\System32\svchost.exe[10160] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000000007779d440 5 bytes JMP 0000000100201284 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007779f874 5 bytes JMP 0000000100200ecc .text C:\Windows\System32\svchost.exe[10160] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000777a4d4c 5 bytes JMP 00000001002003a4 .text C:\Windows\System32\svchost.exe[10160] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000777b8c20 5 bytes JMP 0000000100200b14 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759b5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759b5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759b53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759b54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759b55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759b567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759b589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759b5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075cb1465 2 bytes [CB, 75] .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075cb14bb 2 bytes [CB, 75] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[4740] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001001001f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001001003fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100100804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100100600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100100a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759b5181 5 bytes JMP 0000000100111014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759b5254 5 bytes JMP 0000000100110804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759b53d5 5 bytes JMP 0000000100110a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759b54c2 5 bytes JMP 0000000100110c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759b55e2 5 bytes JMP 0000000100110e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759b567c 5 bytes JMP 00000001001101f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759b589f 5 bytes JMP 00000001001103fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759b5a22 5 bytes JMP 0000000100110600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075cb1465 2 bytes [CB, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075cb14bb 2 bytes [CB, 75] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000005fc411a8 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000005fc413a8 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000005fc41422 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000005fc41498 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000070431b41 2 bytes [43, 70] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000070431be8 2 bytes [43, 70] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000070431c20 2 bytes [43, 70] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000070431cd2 2 bytes [43, 70] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9832] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000070431cf2 2 bytes [43, 70] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a8f991 8 bytes {MOV EDX, 0x903e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 0000000077a8f99b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 0000000077a8fa0d 8 bytes {MOV EDX, 0x901a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 15 0000000077a8fa17 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 00000001000c0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 0000000077a8fb25 8 bytes {MOV EDX, 0x90168; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 15 0000000077a8fb2f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 00000001000c0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a8fbd5 8 bytes {MOV EDX, 0x90428; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 0000000077a8fbdf 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a8fc05 8 bytes {MOV EDX, 0x90368; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 0000000077a8fc0f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a8fc1d 8 bytes {MOV EDX, 0x90128; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 0000000077a8fc27 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a8fc35 8 bytes {MOV EDX, 0x904e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 0000000077a8fc3f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a8fc65 8 bytes {MOV EDX, 0x90528; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 0000000077a8fc6f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 00000001000c0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a8fce5 8 bytes {MOV EDX, 0x904a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 0000000077a8fcef 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a8fcfd 8 bytes {MOV EDX, 0x90468; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 0000000077a8fd07 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a8fd49 8 bytes {MOV EDX, 0x90068; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 0000000077a8fd53 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 5 0000000077a8fdad 8 bytes {MOV EDX, 0x902e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 15 0000000077a8fdb7 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a8fe41 8 bytes {MOV EDX, 0x900a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 0000000077a8fe4b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077a8ff89 8 bytes {MOV EDX, 0x902a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 15 0000000077a8ff93 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 00000001000c0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a90099 8 bytes {MOV EDX, 0x90028; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 0000000077a900a3 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 0000000077a90781 8 bytes {MOV EDX, 0x90268; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 0000000077a9078b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077a90ffd 8 bytes {MOV EDX, 0x901e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 0000000077a91007 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 0000000077a9105d 8 bytes {MOV EDX, 0x90228; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 0000000077a91067 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a910a5 8 bytes {MOV EDX, 0x903a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 0000000077a910af 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a9111d 8 bytes {MOV EDX, 0x90328; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077a91127 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a91321 8 bytes {MOV EDX, 0x900e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 0000000077a9132b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 00000001000c0e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000c01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000c03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076f8103d 5 bytes JMP 0000000100010030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076f81072 5 bytes JMP 0000000100010070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW 000000007553119f 5 bytes JMP 0000000100020030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW 00000000755311cf 5 bytes JMP 0000000100020070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetDeviceCaps 0000000075bf4de0 5 bytes JMP 00000001000e03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SelectObject 0000000075bf4f70 5 bytes JMP 00000001000e05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetBkMode 0000000075bf51a2 5 bytes JMP 00000001000e08f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetTextColor 0000000075bf522d 5 bytes JMP 00000001000e0a30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!DeleteObject 0000000075bf5689 5 bytes JMP 00000001000e01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075bf58b3 5 bytes JMP 00000001000e0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetCurrentObject 0000000075bf6bad 5 bytes JMP 00000001000e0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SaveDC 0000000075bf6e05 5 bytes JMP 00000001000e0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!RestoreDC 0000000075bf6ead 5 bytes JMP 00000001000e0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetStretchBltMode 0000000075bf7180 5 bytes JMP 00000001000e06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!StretchDIBits 0000000075bf7435 5 bytes JMP 00000001000e0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075bf7bcc 5 bytes JMP 00000001000e00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!IntersectClipRect 0000000075bf7dc4 5 bytes JMP 00000001000e03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextAlign 0000000075bf7fd5 5 bytes JMP 00000001000e0d70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextMetricsW 0000000075bf82b2 5 bytes JMP 00000001000e0e30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetTextAlign 0000000075bf8401 5 bytes JMP 00000001000e09f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!ExtSelectClipRgn 0000000075bf879f 5 bytes JMP 00000001000e02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SelectClipRgn 0000000075bf8916 5 bytes JMP 00000001000e05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000075bf8b7a 5 bytes JMP 00000001000e0970 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!MoveToEx 0000000075bf8ee6 5 bytes JMP 00000001000e0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetFontData 0000000075bf9875 5 bytes JMP 00000001000e0c70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextFaceW 0000000075bf9936 5 bytes JMP 00000001000e0d30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!Rectangle 0000000075bfa53a 5 bytes JMP 00000001000e09b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetClipBox 0000000075bfaf9f 5 bytes JMP 00000001000e0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!LineTo 0000000075bfb9e5 5 bytes JMP 00000001000e0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetICMMode 0000000075bfbd55 5 bytes JMP 00000001000e0db0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!CreateICW 0000000075bfc040 5 bytes JMP 00000001000e0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32W 0000000075bfc107 5 bytes JMP 00000001000e0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetWorldTransform 0000000075bfc269 5 bytes JMP 00000001000e06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextMetricsA 0000000075bfd1f1 5 bytes JMP 00000001000e0df0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32A 0000000075bfd349 5 bytes JMP 00000001000e0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!ExtTextOutA 0000000075bfdce4 5 bytes JMP 00000001000e0930 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075bfe743 5 bytes JMP 00000001000e00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!ExtEscape 0000000075c003b7 5 bytes JMP 00000001000e02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!Escape 0000000075c01bda 5 bytes JMP 00000001000e0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetTextFaceA 0000000075c01e89 5 bytes JMP 00000001000e0cf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetPolyFillMode 0000000075c04843 5 bytes JMP 00000001000e0b30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SetMiterLimit 0000000075c05690 5 bytes JMP 00000001000e0b70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!EndPage 0000000075c06bde 5 bytes JMP 00000001000e0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!ResetDCW 0000000075c0e2db 5 bytes JMP 00000001000e0ab0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!GetGlyphOutlineW 0000000075c1940d 5 bytes JMP 00000001000e0cb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!CreateScalableFontResourceW 0000000075c1c621 5 bytes JMP 00000001000e0bb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 0000000075c1d2b2 5 bytes JMP 00000001000e0bf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!RemoveFontResourceW 0000000075c1d919 5 bytes JMP 00000001000e0c30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!AbortDoc 0000000075c23adc 5 bytes JMP 00000001000e0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!EndDoc 0000000075c23f29 5 bytes JMP 00000001000e01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!StartPage 0000000075c2401a 5 bytes JMP 00000001000e0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!StartDocW 0000000075c24c51 5 bytes JMP 00000001000e07f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!BeginPath 0000000075c253fd 5 bytes JMP 00000001000e0830 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!SelectClipPath 0000000075c25454 5 bytes JMP 00000001000e0af0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!CloseFigure 0000000075c254af 5 bytes JMP 00000001000e0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!EndPath 0000000075c25506 5 bytes JMP 00000001000e0a70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!StrokePath 0000000075c2573f 5 bytes JMP 00000001000e07b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!FillPath 0000000075c257d2 5 bytes JMP 00000001000e0870 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!PolylineTo 0000000075c25c44 5 bytes JMP 00000001000e04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!PolyBezierTo 0000000075c25cd5 5 bytes JMP 00000001000e04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\GDI32.dll!PolyDraw 0000000075c25d87 5 bytes JMP 00000001000e08b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!MapWindowPoints 0000000075628c40 5 bytes JMP 00000001002a0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075629ebd 5 bytes JMP 00000001002a02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001002b01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075630afa 5 bytes JMP 00000001002a02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClientRect 0000000075630c62 7 bytes JMP 00000001002a05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetParent 0000000075630f68 7 bytes JMP 00000001002a06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!IsWindowVisible 000000007563112d 7 bytes JMP 00000001002a06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756312a5 5 bytes JMP 00000001002a05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!ScreenToClient 000000007563227d 7 bytes JMP 00000001002a0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!MonitorFromWindow 0000000075633150 7 bytes JMP 00000001002a0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001002b03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetCursor 00000000756341f6 5 bytes JMP 00000001002a0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameA 00000000756368ef 5 bytes JMP 00000001002a0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 00000001002b0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameW 00000000756377fa 5 bytes JMP 00000001002a0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetTopWindow 0000000075637887 7 bytes JMP 00000001002a0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 00000001002b0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!IsClipboardFormatAvailable 0000000075638676 5 bytes JMP 00000001002a00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClipboardSequenceNumber 0000000075638696 5 bytes JMP 00000001002a0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!CloseClipboard 0000000075638e8d 5 bytes JMP 00000001002a00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!OpenClipboard 0000000075638ecb 5 bytes JMP 00000001002a0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!ChangeClipboardChain 000000007563c17b 5 bytes JMP 00000001002a0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!EnumClipboardFormats 000000007563c449 5 bytes JMP 00000001002a01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetOpenClipboardWindow 000000007563c468 5 bytes JMP 00000001002a03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!CountClipboardFormats 000000007563c486 5 bytes JMP 00000001002a01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007563c4b6 5 bytes JMP 00000001002a04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!ActivateKeyboardLayout 000000007563d6c0 5 bytes JMP 00000001002a04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClipboardOwner 000000007563e360 5 bytes JMP 00000001002a0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 00000001002b0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000075668e57 5 bytes JMP 00000001002a0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000075669cfd 5 bytes JMP 00000001002a0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075669f1d 5 bytes JMP 00000001002a0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!EmptyClipboard 0000000075687cb9 5 bytes JMP 00000001002a0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetClipboardViewer 0000000075688111 5 bytes JMP 00000001002a0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\USER32.dll!GetPriorityClipboardFormat 000000007568832f 5 bytes JMP 00000001002a03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759b5181 5 bytes JMP 00000001002c1014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759b5254 5 bytes JMP 00000001002c0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759b53d5 5 bytes JMP 00000001002c0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759b54c2 5 bytes JMP 00000001002c0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759b55e2 5 bytes JMP 00000001002c0e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759b567c 5 bytes JMP 00000001002c01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759b589f 5 bytes JMP 00000001002c03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759b5a22 5 bytes JMP 00000001002c0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!FreeContextBuffer 0000000075169606 5 bytes JMP 00000001002d00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle 0000000075170581 5 bytes JMP 00000001002d0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext 0000000075170bb9 5 bytes JMP 00000001002d0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken 0000000075170c2e 5 bytes JMP 00000001002d01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA 0000000075170f2e 5 bytes JMP 00000001002d0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 0000000075171096 5 bytes JMP 00000001002d00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007517124e 5 bytes JMP 00000001002d01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 000000007517129d 5 bytes JMP 00000001002d0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 0000000075171527 5 bytes JMP 00000001002d0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA 0000000075171590 5 bytes JMP 00000001002d0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\ole32.dll!OleSetClipboard 0000000075d20045 5 bytes JMP 00000001002e0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\ole32.dll!OleIsCurrentClipboard 0000000075d236b2 5 bytes JMP 00000001002e0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\ole32.dll!OleGetClipboard 0000000075d4fdcd 5 bytes JMP 00000001002e00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075cb1465 2 bytes [CB, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075cb14bb 2 bytes [CB, 75] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000005fc411a8 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000005fc413a8 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000005fc41422 2 bytes [C4, 5F] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[9708] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000005fc41498 2 bytes [C4, 5F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759b5181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759b5254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759b53d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759b54c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759b55e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759b567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759b589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759b5a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075cb1465 2 bytes [CB, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075cb14bb 2 bytes [CB, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000005fc411a8 2 bytes [C4, 5F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000005fc413a8 2 bytes [C4, 5F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000005fc41422 2 bytes [C4, 5F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5408] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000005fc41498 2 bytes [C4, 5F] .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Windows\system32\SearchProtocolHost.exe[8816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778b3ae0 5 bytes JMP 000000010026075c .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778b7a90 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778e1490 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778e14f0 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778e15d0 5 bytes JMP 000000010026163c .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778e1810 5 bytes JMP 0000000100261284 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778e2840 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007720eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1f6e00 5 bytes JMP 000007ff7e211dac .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1f6f2c 5 bytes JMP 000007ff7e210ecc .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1f7220 5 bytes JMP 000007ff7e211284 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1f739c 5 bytes JMP 000007ff7e21163c .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1f7538 5 bytes JMP 000007ff7e2119f4 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1f75e8 5 bytes JMP 000007ff7e2103a4 .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1f790c 5 bytes JMP 000007ff7e21075c .text C:\Windows\system32\taskhost.exe[10888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1f7ab4 5 bytes JMP 000007ff7e210b14 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a8faa0 5 bytes JMP 0000000100030600 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a8fb38 5 bytes JMP 0000000100030804 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a8fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a90018 5 bytes JMP 0000000100030a08 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a91900 5 bytes JMP 0000000100030e10 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aac45a 5 bytes JMP 00000001000301f8 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ab1217 5 bytes JMP 00000001000303fc .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076faa30a 1 byte [62] .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000759b5181 5 bytes JMP 0000000100241014 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000759b5254 5 bytes JMP 0000000100240804 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000759b53d5 5 bytes JMP 0000000100240a08 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000759b54c2 5 bytes JMP 0000000100240c0c .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000759b55e2 5 bytes JMP 0000000100240e10 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000759b567c 5 bytes JMP 00000001002401f8 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000759b589f 5 bytes JMP 00000001002403fc .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000759b5a22 5 bytes JMP 0000000100240600 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007562ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075633982 5 bytes JMP 00000001002503fc .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075637603 5 bytes JMP 0000000100250804 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007563835c 5 bytes JMP 0000000100250600 .text C:\Users\Konrad\Downloads\6g1h9y6t.exe[5900] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007564f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [4464:4896] 00000000030bddb0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ImagePath \??\C:\Windows\system32\drivers\aswFW.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 12 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE4F2353-C0D7-474F-8C6A-80ABC7ED3D6D}@LeaseObtainedTime 1363716272 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE4F2353-C0D7-474F-8C6A-80ABC7ED3D6D}@T1 1363718072 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE4F2353-C0D7-474F-8C6A-80ABC7ED3D6D}@T2 1363719422 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE4F2353-C0D7-474F-8C6A-80ABC7ED3D6D}@LeaseTerminatesTime 1363719872 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@ImagePath \??\C:\Windows\system32\drivers\aswFW.sys Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DisplayName avast! TDI Firewall Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Description avast! TDI Firewall Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Tag 12 Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\catchme.3XE_{9b9a5111-90b3-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users\Konrad 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users\Konrad\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users\Konrad\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users\Konrad\AppData\Local\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users\Konrad\AppData\Local\Temp\nsp6A13.tmp 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ComboFix.exe_{7160791e-90af-11e2-bd7b-e89a8f8fadec}\C\Users\Konrad\AppData\Local\Temp\nsp6A13.tmp\System.dll 11264 bytes executable File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XET.3XE_{9b9a59de-90b3-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XET.3XE_{9b9a59de-90b3-11e2-bd7b-e89a8f8fadec}\C 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XET.3XE_{9b9a59de-90b3-11e2-bd7b-e89a8f8fadec}\C\ComboFix 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec}\C 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec}\C\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec}\C\Windows\erdnt 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec}\C\Windows\erdnt\Hiv-backup 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec}\C\Windows\erdnt\Hiv-backup\ERDNT.CON 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\ERUNT.3XE_{71607930-90af-11e2-bd7b-e89a8f8fadec}\C\Windows\erdnt\Hiv-backup\ERDNT.INF 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\mtee.3XE_{9b9a3a0b-90b3-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\NirCmd.3XEd.3X_{71607e97-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\rmbr.3XE_{71607b1f-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\sed.3XE_{71607ad0-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\swreg.3XE_{71607985-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\r197\swxcacls.3XE_{7160796e-90af-11e2-bd7b-e89a8f8fadec} 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad\AppData\Local\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad\AppData\Local\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad\AppData\Local\Microsoft\Windows\Explorer 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Users\Konrad\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl 16384 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows\INF 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows\INF\setupapi.app.log 107235 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows\Prefetch 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows\Prefetch\RUNONCE.EXE-0E293DD6.pf 39802 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows\System32 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\C\Windows\System32\DriverStore 0 bytes File C:\avast! sandbox\S-1-5-21-192333895-627899723-595940092-1001\webStorage\snx_fs.dat 1872 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 29696 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{ddb291ad-9068-11e2-bd7b-e89a8f8fadec}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{ddb291ad-9068-11e2-bd7b-e89a8f8fadec}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{ddb291ad-9068-11e2-bd7b-e89a8f8fadec}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----