GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-24 16:56:57 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00HEA0 rev.13.03G13 Running: mymoogi8.exe; Driver: C:\DOCUME~1\Krys\USTAWI~1\Temp\pfliypoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB64E59CA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB653AA68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB6505AF5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB64E7EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB64E7F04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB64E801A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB65054A9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB64E7E02] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF74E7B00] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB64E7F54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB64E7E56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB64E7FC8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB64E59EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB65061BB] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB6506471] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB64E829E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB6506026] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB6505E91] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB653AB18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB64E57B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB64E5A12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB64E8412] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB64E64AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB64E7EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB64E7F2C] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenFile [0xF74E7B40] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB64E8044] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB6505805] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB64E7E2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB64E80D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB64E7F94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB64E7E84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB64E81BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB64E7FF2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB653ABB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB6505D0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB64E6370] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB6505B5E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB6542E26] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB6504B1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB64E5A36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB64E5A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB64E5812] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB64E594E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB65062C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB64E592A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB64E5972] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB64E5A7E] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB654F8DE] Code \??\C:\DOCUME~1\Krys\USTAWI~1\Temp\catchme.sys pIofCallDriver Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 214 804E2870 16 Bytes [DC, 7E, 4E, B6, 2C, 7F, 4E, ...] PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B654CD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056B712 2 Bytes CALL B64E6E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CF 8056B715 1 Byte [35] PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC60 7 Bytes JMP B654F8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F84D 5 Bytes JMP B654B29E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\DOCUME~1\Krys\USTAWI~1\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[304] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[304] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[304] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[304] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[304] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[304] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[304] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[444] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\WINDOWS\system32\spoolsv.exe[680] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\spoolsv.exe[680] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\spoolsv.exe[680] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\spoolsv.exe[680] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\spoolsv.exe[680] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\spoolsv.exe[680] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\spoolsv.exe[680] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\spoolsv.exe[680] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003F01D4 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003F00E4 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003F0120 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003F015C .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003F0198 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003F0030 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003F006C .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003F00A8 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 004300E4 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00430120 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 004300A8 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00430030 .text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1172] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0043006C .text C:\Program Files\cFosSpeed\spd.exe[1228] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\cFosSpeed\spd.exe[1228] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\Program Files\cFosSpeed\spd.exe[1228] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\Program Files\cFosSpeed\spd.exe[1228] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F00E4 .text C:\Program Files\cFosSpeed\spd.exe[1228] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0120 .text C:\Program Files\cFosSpeed\spd.exe[1228] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F00A8 .text C:\Program Files\cFosSpeed\spd.exe[1228] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F0030 .text C:\Program Files\cFosSpeed\spd.exe[1228] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F006C .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F00E4 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0120 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F00A8 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F0030 .text C:\Program Files\Java\jre6\bin\jqs.exe[1284] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F006C .text C:\WINDOWS\system32\winlogon.exe[1336] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00070030 .text C:\WINDOWS\system32\winlogon.exe[1336] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0007006C .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\winlogon.exe[1336] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\winlogon.exe[1336] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\winlogon.exe[1336] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\winlogon.exe[1336] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\winlogon.exe[1336] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\winlogon.exe[1336] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\services.exe[1380] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\services.exe[1380] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\services.exe[1380] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\services.exe[1380] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\services.exe[1380] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\services.exe[1380] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\services.exe[1380] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\services.exe[1380] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\lsass.exe[1392] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\lsass.exe[1392] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\lsass.exe[1392] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\lsass.exe[1392] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\lsass.exe[1392] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\lsass.exe[1392] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\lsass.exe[1392] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\lsass.exe[1392] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\svchost.exe[1564] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[1564] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[1564] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[1564] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[1564] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[1564] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[1564] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[1564] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F00E4 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0120 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F00A8 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F0030 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F006C .text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1664] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\System32\svchost.exe[1852] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\System32\svchost.exe[1852] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\System32\svchost.exe[1852] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\System32\svchost.exe[1852] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\System32\svchost.exe[1852] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\System32\svchost.exe[1852] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\System32\svchost.exe[1852] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\System32\svchost.exe[1852] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[1956] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[1956] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F00E4 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0120 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F00A8 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F0030 .text C:\Program Files\cFosSpeed\cfosspeed.exe[1980] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F006C .text C:\Program Files\Mozilla Firefox\firefox.exe[2084] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\WINDOWS\System32\alg.exe[2160] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\System32\alg.exe[2160] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\System32\alg.exe[2160] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003000E4 .text C:\WINDOWS\System32\alg.exe[2160] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00300120 .text C:\WINDOWS\System32\alg.exe[2160] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003000A8 .text C:\WINDOWS\System32\alg.exe[2160] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00300030 .text C:\WINDOWS\System32\alg.exe[2160] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0030006C .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003101D4 .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003100E4 .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00310120 .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0031015C .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00310198 .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00310030 .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0031006C .text C:\WINDOWS\System32\alg.exe[2160] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\wscntfy.exe[2276] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\wscntfy.exe[2276] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\wscntfy.exe[2276] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003200E4 .text C:\WINDOWS\system32\wscntfy.exe[2276] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00320120 .text C:\WINDOWS\system32\wscntfy.exe[2276] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003200A8 .text C:\WINDOWS\system32\wscntfy.exe[2276] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00320030 .text C:\WINDOWS\system32\wscntfy.exe[2276] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0032006C .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003301D4 .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003300E4 .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00330120 .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 3 Bytes JMP 0033015C .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!ChangeServiceConfig2A + 4 77E270DD 1 Byte [88] .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00330198 .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00330030 .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0033006C .text C:\WINDOWS\system32\wscntfy.exe[2276] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003300A8 .text C:\WINDOWS\System32\svchost.exe[2872] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\System32\svchost.exe[2872] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\System32\svchost.exe[2872] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\System32\svchost.exe[2872] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\System32\svchost.exe[2872] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\System32\svchost.exe[2872] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\System32\svchost.exe[2872] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\System32\svchost.exe[2872] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4060] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10402024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[1380] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00630002 IAT C:\WINDOWS\system32\services.exe[1380] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00630000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 82F7B960 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\USB_RNDIS \Device\{A1BFB55A-AB4B-4D89-A693-C04BB9F342B6} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\Cdrom \Device\CdRom0 82DEDF00 Device \FileSystem\Rdbss \Device\FsWrap 82D845F0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82D78828 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82D78828 Device \Driver\atapi \Device\Ide\IdePort0 82D78828 Device \Driver\atapi \Device\Ide\IdePort1 82D78828 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82D78828 Device \Driver\Cdrom \Device\CdRom1 82DEDF00 Device \Driver\Cdrom \Device\CdRom2 82DEDF00 Device \FileSystem\Srv \Device\LanmanServer 82807788 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82DAB590 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82DAB590 Device \FileSystem\Npfs \Device\NamedPipe 82DC0DA8 Device \FileSystem\Msfs \Device\Mailslot 82DC0280 Device \Driver\a347scsi \Device\Scsi\a347scsi1 82D98CF8 Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 82D98CF8 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82DD16E8 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82DD16E8 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82DD16E8 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82DD16E8 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82DD16E8 Device \FileSystem\Cdfs \Cdfs 82E3FF88 ---- Modules - GMER 1.0.15 ---- Module _________ F7449000-F7461000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej40 0x2B 0xA0 0x0E 0xAE ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120% Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120% ---- EOF - GMER 1.0.15 ----