GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-11 16:50:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1600JS-00MHB0 rev.02.01C03 149,05GB Running: gmer.exe; Driver: C:\Users\Igor\AppData\Local\Temp\ufddrpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033af000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033af02f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\services.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[960] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[400] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE[1408] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075621465 2 bytes [62, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756214bb 2 bytes [62, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2024] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Windows\system32\rundll32.exe[1944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010032075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001003203a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100320b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100320ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010032163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100321284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001003219f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2796] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010040075c .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001004003a4 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100400b14 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100400ecc .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010040163c .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100401284 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001004019f4 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1072] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010021075c .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001002103a4 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100210b14 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100210ecc .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010021163c .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100211284 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001002119f4 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\conhost.exe[2908] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 00000001004a075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001004a03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 00000001004a0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 00000001004a0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 00000001004a163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 00000001004a1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001004a19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3096] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010039075c .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001003903a4 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100390b14 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100390ecc .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010039163c .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100391284 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001003919f4 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\BOINC\boincmgr.exe[3412] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\BOINC\boinctray.exe[3440] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 3 bytes JMP 0000000100090804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW + 4 00000000767d7607 1 byte [89] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 3 bytes JMP 0000000100090600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA + 4 00000000767d8360 1 byte [89] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3524] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100271014 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100270c0c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100270e10 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[3656] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100270600 .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text H:\Steam\Steam.exe[3732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text H:\Steam\Steam.exe[3732] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text H:\Steam\Steam.exe[3732] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 0000000074b3549c 5 bytes JMP 0000000100300800 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010042075c .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001004203a4 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100420b14 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100420ecc .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010042163c .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100421284 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001004219f4 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\BOINC\boinc.exe[3744] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010029075c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010029163c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100291284 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001002919f4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001002901f8 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001002903fc .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 0000000100290804 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 0000000100290600 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[3788] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100290a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010020075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001002003a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100200b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100200ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010020163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100201284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001002019f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100331014 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100330804 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100330a08 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100330c0c .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100330e10 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001003301f8 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001003303fc .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100330600 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075621465 2 bytes [62, 75] .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756214bb 2 bytes [62, 75] .text ... * 2 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001003401f8 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001003403fc .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 0000000100340804 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 0000000100340600 .text C:\Users\Igor\AppData\Roaming\Paradox Interactive\Paradox Interactive.exe[3900] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100340a08 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001001001f8 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001001003fc .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 0000000100100804 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 0000000100100600 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100100a08 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100111014 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100110804 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100110a08 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100110c0c .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100110e10 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001001101f8 .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001001103fc .text C:\Users\Igor\AppData\Local\GG\Application\gghub.exe[4016] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100110600 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001000a01f8 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001000a03fc .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 00000001000a0804 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 00000001000a0600 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 00000001000a0a08 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100161014 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100160804 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100160a08 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100160c0c .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100160e10 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001001601f8 .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001001603fc .text C:\Windows\SysWOW64\rundll32.exe[4028] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100091014 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\eMule\emule.exe[4060] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010013075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001001303a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100130b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100130ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010013163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100131284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001001319f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001002301f8 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001002303fc .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 0000000100230804 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 0000000100230600 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100230a08 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001002c1014 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001002c0804 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001002c0a08 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001002c0c0c .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001002c0e10 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002c01f8 .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002c03fc .text C:\Program Files (x86)\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe[3884] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001002c0600 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ea3b10 5 bytes JMP 000000010015075c .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ea7ac0 5 bytes JMP 00000001001503a4 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ed1430 5 bytes JMP 0000000100150b14 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ed1490 5 bytes JMP 0000000100150ecc .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ed1570 5 bytes JMP 000000010015163c .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ed17b0 5 bytes JMP 0000000100151284 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ed27e0 5 bytes JMP 00000001001519f4 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\System32\svchost.exe[4156] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4184] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100250600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4236] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[4568] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cbeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\System32\svchost.exe[4568] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\System32\svchost.exe[4568] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000076d88550 5 bytes JMP 000000010027075c .text C:\Windows\System32\svchost.exe[4568] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076d8d440 5 bytes JMP 0000000100271284 .text C:\Windows\System32\svchost.exe[4568] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076d8f874 5 bytes JMP 0000000100270ecc .text C:\Windows\System32\svchost.exe[4568] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076d94d4c 5 bytes JMP 00000001002703a4 .text C:\Windows\System32\svchost.exe[4568] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076da8c20 5 bytes JMP 0000000100270b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4628] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 0000000074b3549c 5 bytes JMP 0000000100310800 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 3 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW + 4 00000000767d7607 1 byte [89] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 3 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA + 4 00000000767d8360 1 byte [89] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100121014 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100120c0c .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100120e10 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075621465 2 bytes [62, 75] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5072] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756214bb 2 bytes [62, 75] .text ... * 2 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007707fac0 5 bytes JMP 0000000100030600 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007707fb58 5 bytes JMP 0000000100030804 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007707fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077080038 5 bytes JMP 0000000100030a08 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077081920 5 bytes JMP 0000000100030e10 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007709c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770a1287 5 bytes JMP 00000001000303fc .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001001d1014 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001001d0804 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001001d0a08 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001001d0c0c .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001001d0e10 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001001d01f8 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001001d03fc .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001001d0600 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000767cee09 5 bytes JMP 00000001001e01f8 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000767d3982 5 bytes JMP 00000001001e03fc .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000767d7603 5 bytes JMP 00000001001e0804 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000767d835c 5 bytes JMP 00000001001e0600 .text C:\Users\Igor\AppData\Local\GG\Application\ggdrive\ggdrive.exe[4100] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000767ef52b 5 bytes JMP 00000001001e0a08 .text C:\Users\Igor\Desktop\Gmer\gmer.exe[5048] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b8a2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1816:4508] 000007fefe5c0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1816:4524] 000007fefb102a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1816:4560] 000007feed3cd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1816:4704] 000007fef80f5124 Thread C:\Windows\System32\svchost.exe [4568:5896] 000007fefacd9688 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????25??????????????? z??6???S??????Le??\BaseNamedObjects\WDI_{b0c246bd-925d-403d-93b1-9585e63957f7}?D??? ???????8?????6???????0????????????????????? ???????6???????????4?0??????????tm???????????6?????????????6??????????????????????? ???????8?????6???????0????????????????????? ???????6???????????6?0???????????????????????6????????????????Ef???????6???k??a ????????{0.0.0.00000000}.{1498993d-6e09-43af-a635-63d76d5f2247}/00010000???????6?664???????6???8?????????????s?(??????????????????????????????\??\C:\Windows\system32\drivers\aswRdr2.sys??(???6?6?6???????6?????????r????USERNAME?????????????????????s??oem17.inf?????@??6??????????????????????%systemroot%\system32\scext.dll???????"??6?????????????????? NOEXECUTE=OPTIN?CUTE=OPTIN DEBUG DEBUGPORT=COM1 BAUDRATE=115200??????????????8????????H??6??????????????multi(0)disk(0)rdisk(0)partition(1)???????H??6??????????????????multi(0)disk(0)rdisk(0)partition(1)??????,?,?6?6?6?6?6?6??????????????????????????????????????????????????????????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@DisableAutostart 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi\Parameters@DisableAutostart 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi\Parameters@ProviderStart 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters@InstallEmailScanner aswRunDll.exe "C:\Program Files\AVAST Software\Avast\ashMaiSv.dll,Install" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@DisableAutostart 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 35 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 876132 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswTdi\Parameters@DisableAutostart 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi\Parameters@ProviderStart 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Igor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberGhost VPN\CyberGhost VPN odinstalowaÄ\x2021.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberGhost VPN\CyberGhost VPN odinstalowaÄ\x2021.lnk 1 ---- EOF - GMER 2.1 ----