GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-07 15:19:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-22ZEST0 rev.01.01A01 298,09GB Running: 0t7l4j6u.exe; Driver: C:\Users\agata\AppData\Local\Temp\uglorpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\services.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[1044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1504] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1576] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1624] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\PasswordBox\pbbtnService.exe[1656] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Users\agata\AppData\Local\majtuto4pc_pl_9\supmajt4pc_pl_9.exe[1820] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Users\agata\AppData\Local\tuto4pc_pl_12\supt4pc_pl_12.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe[1916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\loggingserver.exe[2320] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 00000001001c163c .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\system32\svchost.exe[2524] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010021075c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001002103a4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100210b14 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100210ecc .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010021163c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100211284 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001002119f4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010041075c .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001004103a4 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100410b14 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100410ecc .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010041163c .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100411284 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001004119f4 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\system32\atieclxx.exe[3040] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010035075c .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001003503a4 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100350b14 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100350ecc .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010035163c .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100351284 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001003519f4 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\system32\Dwm.exe[2540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010035075c .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001003503a4 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100350b14 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100350ecc .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010035163c .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100351284 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001003519f4 .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefefb45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\WS2_32.dll!getsockname 000007fefefb9480 6 bytes {JMP QWORD [RIP-0x7fed941e]} .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefefde0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\WS2_32.dll!getpeername 000007fefefde450 6 bytes {JMP QWORD [RIP-0x7fefe3be]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000758230af 5 bytes JMP 0000000100f9008d .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\WS2_32.dll!connect 0000000075826bdd 5 bytes JMP 0000000100f9002d .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000075827147 5 bytes JMP 0000000100f900bd .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2764] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007582cc3f 5 bytes JMP 0000000100f9005d .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010042075c .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001004203a4 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100420b14 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100420ecc .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010042163c .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100421284 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001004219f4 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\system32\taskhost.exe[168] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100101014 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100100804 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100100a08 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100100c0c .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100100e10 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001001001f8 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001001003fc .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100100600 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001001101f8 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001001103fc .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100110600 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100110804 .text C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe[2232] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001003c01f8 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001003c03fc .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 00000001003c0600 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 00000001003c0804 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 00000001003c0a08 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe[1896] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 00000001003d0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2052] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\syswow64\user32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3124] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000758230af 5 bytes JMP 000000010055008d .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\WS2_32.dll!connect 0000000075826bdd 5 bytes JMP 000000010055002d .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000075827147 5 bytes JMP 00000001005500bd .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007582cc3f 5 bytes JMP 000000010055005d .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000751d1465 2 bytes [1D, 75] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3152] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000751d14bb 2 bytes [1D, 75] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010026075c .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010026163c .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100261284 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\system32\SearchIndexer.exe[3204] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000758230af 5 bytes JMP 000000010024008d .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\WS2_32.dll!connect 0000000075826bdd 5 bytes JMP 000000010024002d .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000075827147 5 bytes JMP 00000001002400bd .text C:\Program Files (x86)\tuto4pc_pl_31\tuto4pc_pl_31.exe[3476] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007582cc3f 5 bytes JMP 000000010024005d .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\WS2_32.dll!getsockname 00000000758230af 5 bytes JMP 000000010038008d .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\WS2_32.dll!connect 0000000075826bdd 5 bytes JMP 000000010038002d .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\WS2_32.dll!getpeername 0000000075827147 5 bytes JMP 00000001003800bd .text C:\Program Files (x86)\tuto4pc_pl_32\tuto4pc_pl_32.exe[3520] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007582cc3f 5 bytes JMP 000000010038005d .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3664] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100260a08 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 00000001001e075c .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001001e03a4 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 00000001001e0b14 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 00000001001e0ecc .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 00000001001e163c .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 00000001001e1284 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001001e19f4 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\System32\svchost.exe[3544] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077143b10 5 bytes JMP 000000010026075c .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077147ac0 5 bytes JMP 00000001002603a4 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077171430 5 bytes JMP 0000000100260b14 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077171490 5 bytes JMP 0000000100260ecc .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077171570 5 bytes JMP 000000010026163c .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771717b0 5 bytes JMP 0000000100261284 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771727e0 5 bytes JMP 00000001002619f4 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefecd6e00 5 bytes JMP 000007ff7ecf1dac .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefecd6f2c 5 bytes JMP 000007ff7ecf0ecc .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefecd7220 5 bytes JMP 000007ff7ecf1284 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefecd739c 5 bytes JMP 000007ff7ecf163c .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefecd7538 5 bytes JMP 000007ff7ecf19f4 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefecd75e8 5 bytes JMP 000007ff7ecf03a4 .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefecd790c 5 bytes JMP 000007ff7ecf075c .text C:\Windows\System32\svchost.exe[3188] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefecd7ab4 5 bytes JMP 000007ff7ecf0b14 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007731fac0 5 bytes JMP 0000000100030600 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007731fb58 5 bytes JMP 0000000100030804 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007731fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077320038 5 bytes JMP 0000000100030a08 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077321920 5 bytes JMP 0000000100030e10 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007733c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077341287 5 bytes JMP 00000001000303fc .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007509a2ba 1 byte [62] .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074e35181 5 bytes JMP 0000000100251014 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074e35254 5 bytes JMP 0000000100250804 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074e353d5 5 bytes JMP 0000000100250a08 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074e354c2 5 bytes JMP 0000000100250c0c .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074e355e2 5 bytes JMP 0000000100250e10 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074e3567c 5 bytes JMP 00000001002501f8 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074e3589f 5 bytes JMP 00000001002503fc .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074e35a22 5 bytes JMP 0000000100250600 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000768bf0e6 5 bytes JMP 00000001002601f8 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000768c3907 5 bytes JMP 00000001002603fc .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000768c8364 5 bytes JMP 0000000100260600 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768d06b3 5 bytes JMP 0000000100260804 .text C:\Users\agata\Desktop\0t7l4j6u.exe[4752] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000768e0efc 5 bytes JMP 0000000100260a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:2980] 0000000077353e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:2996] 0000000074e37587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:2984] 00000000723a7712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:2868] 0000000077352e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:2292] 0000000074e7d864 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:3084] 0000000077353e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:3712] 0000000077353e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2700:3968] 0000000077357151 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4508:4520] 0000000077352e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4508:4524] 0000000077353e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4508:4528] 0000000077353e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4508:4532] 0000000074e7d864 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4508:4540] 000000006ee06a0f Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4508:4544] 000000006ee805e5 ---- Processes - GMER 2.1 ---- Process C:\Users\agata\AppData\Local\majtuto4pc_pl_9\supmajt4pc_pl_9.exe (*** suspicious ***) @ C:\Users\agata\AppData\Local\majtuto4pc_pl_9\supmajt4pc_pl_9.exe [1820](2013-05-22 08:39:54) 0000000000330000 Process C:\Users\agata\AppData\Local\tuto4pc_pl_12\supt4pc_pl_12.exe (*** suspicious ***) @ C:\Users\agata\AppData\Local\tuto4pc_pl_12\supt4pc_pl_12.exe [1888](2013-07-25 18:27:10) 00000000008c0000 Library C:\Users\agata\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1692] (GG drive menu/GG Network S.A.)(201 000000005ff80000 Process C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe (*** suspicious ***) @ C:\Users\agata\AppData\Local\tuto4pc_pl_8\upt4pc_pl_8.exe [2232](2013-05-08 10:34:23) 0000000000120000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{973EBE58-870A-48E4-9FAE-F9DF09B7E1A4}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3188] 000007feed850000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 196 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1484562 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 196 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1484562 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----