GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-12 15:54:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: bo56ge2f.exe; Driver: C:\Users\Pawel\AppData\Local\Temp\awddrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002fa3000 45 bytes [00, 00, 0C, 04, 4E, 44, 72, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002fa302f 16 bytes [00, 02, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\services.exe[692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1696] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1984] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe[1124] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010021075c .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001002103a4 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100210b14 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100210ecc .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010021163c .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100211284 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001002119f4 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010032075c .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010032163c .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100321284 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001003219f4 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\taskhost.exe[3000] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010017075c .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001001703a4 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100170b14 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100170ecc .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010017163c .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100171284 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001001719f4 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\Dwm.exe[816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010035075c .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001003503a4 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100350b14 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100350ecc .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010035163c .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100351284 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001003519f4 .text C:\Windows\Explorer.EXE[1492] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\Explorer.EXE[1492] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010044075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001004403a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100440b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100440ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010044163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100441284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001004419f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3120] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010039075c .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001003903a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100390b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100390ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010039163c .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100391284 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001003919f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\Elantech\ETDCtrl.exe[3196] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010042075c .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001004203a4 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100420b14 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100420ecc .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010042163c .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100421284 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001004219f4 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\System32\igfxtray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010036075c .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001003603a4 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100360b14 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100360ecc .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010036163c .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100361284 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001003619f4 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\System32\hkcmd.exe[3216] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010050075c .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001005003a4 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100500b14 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100500ecc .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010050163c .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100501284 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001005019f4 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\System32\igfxpers.exe[3224] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 00000001001f075c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001001f03a4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 00000001001f0b14 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 00000001001f0ecc .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 00000001001f163c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 00000001001f1284 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001001f19f4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3448] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010014075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001001403a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100140b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100140ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010014163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100141284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001001419f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3460] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 3 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\USER32.dll!UnhookWinEvent + 4 0000000076133986 1 byte [8A] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077481465 2 bytes [48, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774814bb 2 bytes [48, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000070b711a8 2 bytes [B7, 70] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000070b713a8 2 bytes [B7, 70] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000070b71422 2 bytes [B7, 70] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3556] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000070b71498 2 bytes [B7, 70] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010032075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001003203a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100320b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100320ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010032163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100321284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001003219f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3684] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3780] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 00000001002a075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001002a03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 00000001002a0b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 00000001002a0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 00000001002a163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 00000001002a1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001002a19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3788] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010026075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001002603a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100260b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100260ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010026163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100261284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001002619f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3864] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 0000000100260a08 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 00000001001a075c .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 00000001001a163c .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001001a19f4 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\SearchIndexer.exe[4012] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077481465 2 bytes [48, 77] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774814bb 2 bytes [48, 77] .text ... * 2 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010021075c .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001002103a4 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100210b14 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100210ecc .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010021163c .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100211284 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001002119f4 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\taskeng.exe[2840] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001000a01f8 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001000a03fc .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 00000001000a0804 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 00000001000a0600 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 00000001000a0a08 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 00000001000b1014 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 00000001000b0804 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 00000001000b0a08 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 00000001000b0c0c .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 00000001000b0e10 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001000b01f8 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001000b03fc .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 00000001000b0600 .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077481465 2 bytes [48, 77] .text C:\Windows\SysWOW64\RunDll32.exe[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774814bb 2 bytes [48, 77] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010020075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001002003a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100200b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100200ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010020163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100201284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001002019f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4120] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001002403fc .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 0000000100240804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 0000000100240600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 0000000100251014 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 0000000100250804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 0000000100250a08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 0000000100250c0c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 0000000100250e10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001002501f8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001002503fc .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4448] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4944] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 0000000100250a08 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010042075c .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001004203a4 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100420b14 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100420ecc .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010042163c .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100421284 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001004219f4 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\svchost.exe[2576] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077481465 2 bytes [48, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774814bb 2 bytes [48, 77] .text ... * 2 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b63ae0 5 bytes JMP 000000010033075c .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b67a90 5 bytes JMP 00000001003303a4 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b91490 5 bytes JMP 0000000100330b14 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b914f0 5 bytes JMP 0000000100330ecc .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b915d0 5 bytes JMP 000000010033163c .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b91810 5 bytes JMP 0000000100331284 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b92840 5 bytes JMP 00000001003319f4 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff796e00 5 bytes JMP 000007ff7f7b1dac .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff796f2c 5 bytes JMP 000007ff7f7b0ecc .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff797220 5 bytes JMP 000007ff7f7b1284 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff79739c 5 bytes JMP 000007ff7f7b163c .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff797538 5 bytes JMP 000007ff7f7b19f4 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7975e8 5 bytes JMP 000007ff7f7b03a4 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff79790c 5 bytes JMP 000007ff7f7b075c .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff797ab4 5 bytes JMP 000007ff7f7b0b14 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d3faa0 5 bytes JMP 0000000100090600 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d3fb38 5 bytes JMP 0000000100090804 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d3fc90 5 bytes JMP 0000000100090c0c .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d40018 5 bytes JMP 0000000100090a08 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d41900 5 bytes JMP 0000000100090e10 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d5c45a 5 bytes JMP 00000001000901f8 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d61217 5 bytes JMP 00000001000903fc .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007612ee09 5 bytes JMP 00000001000a01f8 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076133982 5 bytes JMP 00000001000a03fc .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076137603 5 bytes JMP 00000001000a0804 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007613835c 5 bytes JMP 00000001000a0600 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007614f52b 5 bytes JMP 00000001000a0a08 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075a65181 5 bytes JMP 00000001000b1014 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075a65254 5 bytes JMP 00000001000b0804 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075a653d5 5 bytes JMP 00000001000b0a08 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075a654c2 5 bytes JMP 00000001000b0c0c .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075a655e2 5 bytes JMP 00000001000b0e10 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075a6567c 5 bytes JMP 00000001000b01f8 .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075a6589f 5 bytes JMP 00000001000b03fc .text C:\Windows\SysWOW64\ctfmon.exe[348] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075a65a22 5 bytes JMP 00000001000b0600 .text C:\Windows\notepad.exe[2264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a7eecd 1 byte [62] .text C:\Users\Pawel\Desktop\bo56ge2f.exe[5044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007580a30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [2436:2484] 000007fef9962f9c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [916:5040] 000007fefefe0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [916:4348] 000007fefbad2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [916:2524] 000007feee46d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [916:4428] 000007fef8665124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 12 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 30 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 3836255 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f6a0c40 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Tag 12 Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 30 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 3836255 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f6a0c40 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-520696477-2400181392-3353879476-1000 0 bytes File C:\avast! sandbox\S-1-5-21-520696477-2400181392-3353879476-1000\r80 0 bytes File C:\avast! sandbox\S-1-5-21-520696477-2400181392-3353879476-1000\r80\OTL.exe_{a15d4468-eae6-11e2-ae8f-b4749f6a0c40} 0 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{a15d446a-eae6-11e2-ae8f-b4749f6a0c40}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{a15d446a-eae6-11e2-ae8f-b4749f6a0c40}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{a15d446a-eae6-11e2-ae8f-b4749f6a0c40}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----