GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-22 13:08:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050B9A300 rev.PB4OC66G 465,76GB Running: ynioc2mv.exe; Driver: C:\Users\Barbara\AppData\Local\Temp\uglyypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\services.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text D:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe[860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1036] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1812] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1312] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 0000000100231014 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 0000000100230804 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 0000000100230a08 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 0000000100230c0c .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 0000000100230e10 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001002301f8 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001002303fc .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 0000000100230600 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001002401f8 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001002403fc .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100240804 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100240600 .text C:\Windows\SysWOW64\Rezip.exe[2312] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100240a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001002301f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001002303fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100230804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100230600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100230a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 0000000100241014 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 0000000100240804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 0000000100240a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 0000000100240c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 0000000100240e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001002401f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001002403fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 0000000100240600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074de1465 2 bytes [DE, 74] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2356] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074de14bb 2 bytes [DE, 74] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010026075c .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010026163c .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100261284 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001001e075c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001001e163c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001001e19f4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\svchost.exe[2716] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001001a075c .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001001a0b14 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001001a163c .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001001a1284 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001001a19f4 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\System32\svchost.exe[2752] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000076c48550 5 bytes JMP 000000010047075c .text C:\Windows\System32\svchost.exe[2752] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076c4d440 5 bytes JMP 0000000100471284 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c4f874 5 bytes JMP 0000000100470ecc .text C:\Windows\System32\svchost.exe[2752] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076c54d4c 5 bytes JMP 00000001004703a4 .text C:\Windows\System32\svchost.exe[2752] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076c68c20 5 bytes JMP 0000000100470b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010022075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001002203a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100220b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100220ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010022163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100221284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001002219f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2788] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001002401f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001002403fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100240804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100240600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100240a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 0000000100251014 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 0000000100250804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 0000000100250a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 0000000100250c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 0000000100250e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001002501f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001002503fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2928] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 0000000100250600 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001002d075c .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001002d0b14 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001002d163c .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001002d1284 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001002d19f4 .text C:\Windows\Explorer.EXE[2968] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\Explorer.EXE[2968] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3036] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001000901f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001000903fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100090804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100090600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100090a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 00000001000e1014 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 00000001000e0804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 00000001000e0a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 00000001000e0c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 00000001000e0e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001000e01f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001000e03fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2200] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 00000001000e0600 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001003b075c .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001003b03a4 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001003b0b14 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001003b0ecc .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001003b163c .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001003b1284 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001003b19f4 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\taskeng.exe[3276] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\svchost.exe[3288] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\svchost.exe[3836] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010038075c .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001003803a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100380b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100380ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010038163c .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100381284 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001003819f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\Elantech\ETDCtrl.exe[3924] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010040075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001004003a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100400b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100400ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010040163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100401284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001004019f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001003e075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001003e03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001003e0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001003e0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001003e163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001003e1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001003e19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2284] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001002d075c .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001002d0b14 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001002d163c .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001002d1284 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001002d19f4 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\SearchIndexer.exe[224] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text D:\Program Files\AVAST Software\Avast\AvastUI.exe[3952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3256] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001002401f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001002403fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100240804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100240600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100240a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 0000000100251014 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 0000000100250804 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 0000000100250a08 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 0000000100250c0c .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 0000000100250e10 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001002501f8 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001002503fc .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 0000000100250600 .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074de1465 2 bytes [DE, 74] .text D:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4116] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074de14bb 2 bytes [DE, 74] .text ... * 2 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001001c075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001001c03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001001c0b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001001c0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001001c163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001001c1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001001c19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4272] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 00000001003a075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001003a03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 00000001003a0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 00000001003a0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001003a163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 00000001003a1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001003a19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4364] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001000e01f8 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001000e03fc .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 00000001000e0804 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 00000001000e0600 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 00000001000e0a08 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 00000001000f1014 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 00000001000f0804 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 00000001000f0a08 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 00000001000f0c0c .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 00000001000f0e10 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001000f01f8 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001000f03fc .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 00000001000f0600 .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074de1465 2 bytes [DE, 74] .text C:\Windows\SysWOW64\RunDll32.exe[4508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074de14bb 2 bytes [DE, 74] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001001d03fc .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 00000001001d0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 00000001001d0600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 00000001001e1014 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 00000001001e0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 00000001001e0a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 00000001001e0c0c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 00000001001e0e10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001001e01f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001001e03fc .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4584] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 00000001001e0600 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010038075c .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001003803a4 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100380b14 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100380ecc .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010038163c .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100381284 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001003819f4 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\DllHost.exe[4460] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 6 bytes {NOP ; JMP 0xffffffff8947cc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 6 bytes {NOP ; JMP 0xffffffff89478914} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 6 bytes {NOP ; JMP 0xffffffff8944f684} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 6 bytes {NOP ; JMP 0xffffffff8944f9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 6 bytes {NOP ; JMP 0xffffffff8945006c} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 6 bytes {NOP ; JMP 0xffffffff8944fa74} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 6 bytes {NOP ; JMP 0xffffffff8944f1b4} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b7eecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[2556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 0000000100091014 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\user32.DLL!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 0000000074e085f2 5 bytes JMP 000000016e1a4710 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000074e0c016 5 bytes JMP 000000016e1a4770 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WININET.dll!InternetReadFile 0000000074e1bc6f 5 bytes JMP 000000016e1a46c0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000074ed6412 5 bytes JMP 000000016e1a4730 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\urlmon.dll!IsAsyncMoniker + 143 000000007657a7dc 8 bytes [00, 1B, AF, 6E, C0, 1D, AF, ...] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\urlmon.dll!IsAsyncMoniker + 183 000000007657a804 4 bytes [C0, 1B, AF, 6E] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000752b3918 5 bytes JMP 000000016e1a46a0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000752b4406 5 bytes JMP 000000016e1a43c0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WS2_32.dll!recv 00000000752b6b0e 5 bytes JMP 000000016e1a44e0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WS2_32.dll!send 00000000752b6f01 5 bytes JMP 000000016e1a4320 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000752b7089 5 bytes JMP 000000016e1a4580 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 00000000752b7489 5 bytes JMP 000000016e1a5740 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074de1465 2 bytes [DE, 74] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074de14bb 2 bytes [DE, 74] .text ... * 2 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010013075c .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010013163c .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100131284 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001001319f4 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd196e00 5 bytes JMP 000007ff7d1b1dac .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd196f2c 5 bytes JMP 000007ff7d1b0ecc .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd197220 5 bytes JMP 000007ff7d1b1284 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd19739c 5 bytes JMP 000007ff7d1b163c .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd197538 5 bytes JMP 000007ff7d1b19f4 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1975e8 5 bytes JMP 000007ff7d1b03a4 .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd19790c 5 bytes JMP 000007ff7d1b075c .text C:\Windows\system32\taskeng.exe[820] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd197ab4 5 bytes JMP 000007ff7d1b0b14 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100240600 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100240804 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100240c0c .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100240a08 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100240e10 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001002401f8 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001002403fc .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a30a 1 byte [62] .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000766f5181 5 bytes JMP 0000000100251014 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000766f5254 5 bytes JMP 0000000100250804 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000766f53d5 5 bytes JMP 0000000100250a08 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000766f54c2 5 bytes JMP 0000000100250c0c .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000766f55e2 5 bytes JMP 0000000100250e10 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000766f567c 5 bytes JMP 00000001002501f8 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000766f589f 5 bytes JMP 00000001002503fc .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000766f5a22 5 bytes JMP 0000000100250600 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000751cee09 5 bytes JMP 00000001002601f8 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000751d3982 5 bytes JMP 00000001002603fc .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000751d7603 5 bytes JMP 0000000100260804 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000751d835c 5 bytes JMP 0000000100260600 .text E:\Download\GMER\ynioc2mv.exe[5684] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000751ef52b 5 bytes JMP 0000000100260a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2752:5068] 000007fef31a9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3256:5020] 000007fefe990168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3256:5040] 000007fefaf62a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3256:5048] 000007fef104d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3256:4656] 000007fef8b15124 Thread C:\Windows\SysWOW64\ntdll.dll [3960:3620] 00000000305dd5fc Thread C:\Windows\SysWOW64\ntdll.dll [3960:4260] 000000003042f19c Thread C:\Windows\SysWOW64\ntdll.dll [3960:4876] 00000000746427c1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 115 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1685310 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\D:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\D:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "D:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb114b280 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb115d388 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde81871e Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3676F624-6787-4CB2-97FB-7BAD6CF46C57}@LeaseObtainedTime 1366623687 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3676F624-6787-4CB2-97FB-7BAD6CF46C57}@T1 1366627287 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3676F624-6787-4CB2-97FB-7BAD6CF46C57}@T2 1366629987 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3676F624-6787-4CB2-97FB-7BAD6CF46C57}@LeaseTerminatesTime 1366630887 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 115 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1685310 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\D:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\D:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "D:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb114b280 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb115d388 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde81871e (not active ControlSet) Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Barbara\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----