GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-24 18:41:34 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_2F040J0 rev.VAM51JJ0 Running: gmer.exe; Driver: C:\DOCUME~1\Dom\USTAWI~1\Temp\awacifow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xEF5409CA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEF595A68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xEF560AF5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xEF542EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xEF542F04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xEF54301A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xEF5604A9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xEF542E02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xEF542F54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xEF542E56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xEF542FC8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xEF5409EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xEF5611BB] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xEF561471] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xEF54329E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEF561026] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEF560E91] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEF595B18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xEF5407B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xEF540A12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xEF543412] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xEF5414AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xEF542EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xEF542F2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xEF543044] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xEF560805] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xEF542E2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xEF5430D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xEF542F94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xEF542E84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xEF5431BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xEF542FF2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEF595BB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xEF560D0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xEF541370] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xEF560B5E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEF59DE26] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xEF55FB1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xEF540A36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xEF540A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xEF540812] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xEF54094E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xEF5612C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xEF54092A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xEF540972] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xEF540A7E] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEF5AA8DE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + B0 804E270C 2 Bytes [F5, 0A] .text ntoskrnl.exe!_abnormal_termination + B3 804E270F 1 Byte [EF] .text ntoskrnl.exe!_abnormal_termination + 228 804E2884 2 Bytes [05, 08] .text ntoskrnl.exe!_abnormal_termination + 22B 804E2887 5 Bytes [EF, 2E, 2E, 54, EF] .text ntoskrnl.exe!_abnormal_termination + 310 804E296C 2 Bytes [5E, 0B] .text ... PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EF5A7D38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056B712 4 Bytes CALL EF541E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EF5AA8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F85D 5 Bytes JMP EF5A629E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF7DDE000, 0x1B601E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\Program Files\Java\jre6\bin\jqs.exe[132] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F00E4 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0120 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F00A8 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F0030 .text C:\Program Files\Java\jre6\bin\jqs.exe[132] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F006C .text C:\WINDOWS\system32\svchost.exe[240] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[240] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[240] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[240] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[240] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[240] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[240] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[240] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003F01D4 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003F00E4 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003F0120 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003F015C .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003F0198 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003F0030 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003F006C .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003F00A8 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 005F00E4 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 005F0120 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 005F00A8 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 005F0030 .text C:\PROGRA~1\Bandoo\Bandoo.exe[472] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 005F006C .text C:\WINDOWS\system32\winlogon.exe[512] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00070030 .text C:\WINDOWS\system32\winlogon.exe[512] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0007006C .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\winlogon.exe[512] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\winlogon.exe[512] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\winlogon.exe[512] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\winlogon.exe[512] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\winlogon.exe[512] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\winlogon.exe[512] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\services.exe[560] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\services.exe[560] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\services.exe[560] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\services.exe[560] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\services.exe[560] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\services.exe[560] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\services.exe[560] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\services.exe[560] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\lsass.exe[572] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\svchost.exe[728] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[728] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\svchost.exe[828] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[828] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[828] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[828] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[828] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[828] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[828] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[828] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1148] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003801D4 .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003800E4 .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00380120 .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0038015C .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00380198 .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00380030 .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0038006C .text C:\WINDOWS\Explorer.EXE[1312] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003800A8 .text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003900E4 .text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390120 .text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003900A8 .text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00390030 .text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 0039006C .text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82] .text C:\WINDOWS\SOUNDMAN.EXE[1472] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00140030 .text C:\WINDOWS\SOUNDMAN.EXE[1472] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0014006C .text C:\WINDOWS\SOUNDMAN.EXE[1472] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003D00E4 .text C:\WINDOWS\SOUNDMAN.EXE[1472] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003D0120 .text C:\WINDOWS\SOUNDMAN.EXE[1472] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003D00A8 .text C:\WINDOWS\SOUNDMAN.EXE[1472] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003D0030 .text C:\WINDOWS\SOUNDMAN.EXE[1472] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003D006C .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\WINDOWS\SOUNDMAN.EXE[1472] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\WINDOWS\system32\ctfmon.exe[1524] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A0030 .text C:\WINDOWS\system32\ctfmon.exe[1524] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000A006C .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003801D4 .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003800E4 .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00380120 .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0038015C .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00380198 .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00380030 .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0038006C .text C:\WINDOWS\system32\ctfmon.exe[1524] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003800A8 .text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003900E4 .text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390120 .text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003900A8 .text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00390030 .text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 0039006C .text C:\WINDOWS\system32\ctfmon.exe[1524] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82] .text C:\WINDOWS\system32\spoolsv.exe[1820] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\system32\spoolsv.exe[1820] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003001D4 .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003000E4 .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300120 .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0030015C .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300198 .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00300030 .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0030006C .text C:\WINDOWS\system32\spoolsv.exe[1820] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003000A8 .text C:\WINDOWS\system32\spoolsv.exe[1820] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003100E4 .text C:\WINDOWS\system32\spoolsv.exe[1820] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310120 .text C:\WINDOWS\system32\spoolsv.exe[1820] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003100A8 .text C:\WINDOWS\system32\spoolsv.exe[1820] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00310030 .text C:\WINDOWS\system32\spoolsv.exe[1820] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0031006C .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00150030 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0015006C .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003E01D4 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003E00E4 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003E0120 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003E015C .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003E0198 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003E0030 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003E006C .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003E00A8 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F00E4 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0120 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F00A8 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F0030 .text C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe[1960] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F006C .text C:\WINDOWS\System32\alg.exe[2128] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00090030 .text C:\WINDOWS\System32\alg.exe[2128] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0009006C .text C:\WINDOWS\System32\alg.exe[2128] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003000E4 .text C:\WINDOWS\System32\alg.exe[2128] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00300120 .text C:\WINDOWS\System32\alg.exe[2128] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003000A8 .text C:\WINDOWS\System32\alg.exe[2128] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00300030 .text C:\WINDOWS\System32\alg.exe[2128] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 0030006C .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003101D4 .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003100E4 .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00310120 .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 0031015C .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00310198 .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00310030 .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0031006C .text C:\WINDOWS\System32\alg.exe[2128] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003100A8 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[560] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00690002 IAT C:\WINDOWS\system32\services.exe[560] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00690000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 1.0.15 ----