GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-02 18:32:46 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160212ACE rev.3.ACB Running: mukttd7d.exe; Driver: C:\DOCUME~1\Karol\USTAWI~1\Temp\axroykog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB19A7DF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB1A34A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xB19A885E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB19D4D5D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB19AD2E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB19AD330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB19AD422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB19D4711] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB19AD252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB19AD374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB19AD29A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB19AD3DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB19A7E44] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB19D5423] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB19D56D9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB19AA9A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB19D528E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB19D50F9] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB1A34B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB19A7AD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB19A7E90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB19AAD1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB19A8B02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB19AD30E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB19AD352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB19AD446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB19D4A6D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB19AD278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB19AA518] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB19AD3AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB19AD2C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB19AA74C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB19AD400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB1A34CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB19D4F74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB19A89CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB19D4DC6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB1A3EB68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB19D3D84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB19A7EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB19A7F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB19A7B46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB19A7CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB19D552A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB19A7C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB19A7D5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0xB1A34D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB19A7F74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0xB1A34BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB1A4AD92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntoskrnl.exe!ObInsertObject 8056513A 5 Bytes JMP B1A4974C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB88 4 Bytes CALL B19A919F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 8058304C 7 Bytes JMP B1A4AD96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059EA53 5 Bytes JMP B1A47C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngFreeUserMem + 674 BF809912 5 Bytes JMP B19AC180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D0 BF80C86E 5 Bytes JMP B19AC07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF813906 5 Bytes JMP B19AC036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E5CB 5 Bytes JMP B19AAE66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 197D BF820CD8 5 Bytes JMP B19AB724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 11A6 BF82D4D6 5 Bytes JMP B19AAF84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLockSurface + C09 BF82E654 5 Bytes JMP B19AC2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 654A BF83D8CB 5 Bytes JMP B19AC4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + BEF8 BF843279 5 Bytes JMP B19ABF3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + DB9A BF844F1B 5 Bytes JMP B19AAFF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!FONTOBJ_pxoGetXform + B0EC BF864FD0 5 Bytes JMP B19AB70C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 350F BF87011D 5 Bytes JMP B19AB7E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 5807 BF872415 5 Bytes JMP B19AB384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 5892 BF8724A0 5 Bytes JMP B19AB562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 646A BF873078 5 Bytes JMP B19AAE4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + B839 BF878447 5 Bytes JMP B19AC0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnicodeToMultiByteN + 67E7 BF87F66A 5 Bytes JMP B19AC232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 4138 BF899448 5 Bytes JMP B19AB51C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8B653C 5 Bytes JMP B19AB7FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 2862 BF8B9C5B 5 Bytes JMP B19AC450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 1A3D BF8C1C70 5 Bytes JMP B19AB104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1517 BF8CA101 5 Bytes JMP B19AB1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1797 BF8CA381 5 Bytes JMP B19AB2E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + 3B3E BF8EBD37 5 Bytes JMP B19AAD52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + CB3C BF8F4D35 5 Bytes JMP B19AB73C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1A2D BF91440C 5 Bytes JMP B19AAF22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2601 BF914FE0 5 Bytes JMP B19AB0B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4F7A BF917959 5 Bytes JMP B19AB67C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 193E BF947BDB 5 Bytes JMP B19AC3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[392] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[392] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[392] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[392] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[392] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[392] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[392] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[392] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[392] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[392] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\smss.exe[476] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[536] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[536] KERNEL32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000701F8 .text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000703FC .text C:\WINDOWS\system32\winlogon.exe[568] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\winlogon.exe[568] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\winlogon.exe[568] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\winlogon.exe[568] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\winlogon.exe[568] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\winlogon.exe[568] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\winlogon.exe[568] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\services.exe[612] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\services.exe[612] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\services.exe[612] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\services.exe[612] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\services.exe[612] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\services.exe[612] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\services.exe[612] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\services.exe[612] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\services.exe[612] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\services.exe[612] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\lsass.exe[624] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\lsass.exe[624] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\lsass.exe[624] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\lsass.exe[624] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\lsass.exe[624] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\lsass.exe[624] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\lsass.exe[624] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\svchost.exe[904] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[904] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[904] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\System32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\System32\svchost.exe[904] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\svchost.exe[904] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[968] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text D:\Pobierane\mukttd7d.exe[1248] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 001501F8 .text D:\Pobierane\mukttd7d.exe[1248] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text D:\Pobierane\mukttd7d.exe[1248] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 001503FC .text D:\Pobierane\mukttd7d.exe[1248] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 009C1014 .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 009C0804 .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 009C0A08 .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 009C0C0C .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 009C0E10 .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 009C01F8 .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 009C03FC .text D:\Pobierane\mukttd7d.exe[1248] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 009C0600 .text D:\Pobierane\mukttd7d.exe[1248] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009D0804 .text D:\Pobierane\mukttd7d.exe[1248] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 009D0A08 .text D:\Pobierane\mukttd7d.exe[1248] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 009D0600 .text D:\Pobierane\mukttd7d.exe[1248] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 009D01F8 .text D:\Pobierane\mukttd7d.exe[1248] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 009D03FC .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1512] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1512] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1528] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\spoolsv.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1528] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\spoolsv.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00301014 .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00300C0C .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00300E10 .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 011FB52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 001503FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 014AB6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 014AB6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00320804 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00320A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00320600 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003201F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003203FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 014AB653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 025A1014 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 025A0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 025A0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 025A0C0C .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 025A0E10 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 025A01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 025A03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 025A0600 .text C:\WINDOWS\System32\alg.exe[2504] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\alg.exe[2504] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2504] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\alg.exe[2504] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2504] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\alg.exe[2504] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\alg.exe[2504] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\alg.exe[2504] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\alg.exe[2504] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00311014 .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00310804 .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00310A08 .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00310C0C .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00310E10 .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\alg.exe[2504] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00310600 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 001501F8 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 001503FC .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 003E1014 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 003E0804 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 003E0A08 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 003E0C0C .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 003E0E10 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003E01F8 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003E03FC .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 003E0600 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 006C0804 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] user32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 006C0A08 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] user32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 006C0600 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] user32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 006C01F8 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[3208] user32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 006C03FC .text C:\WINDOWS\explorer.exe[3820] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 000901F8 .text C:\WINDOWS\explorer.exe[3820] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\explorer.exe[3820] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 000903FC .text C:\WINDOWS\explorer.exe[3820] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00381014 .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00380804 .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00380A08 .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00380C0C .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00380E10 .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003801F8 .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003803FC .text C:\WINDOWS\explorer.exe[3820] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00380600 .text C:\WINDOWS\explorer.exe[3820] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00390804 .text C:\WINDOWS\explorer.exe[3820] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390A08 .text C:\WINDOWS\explorer.exe[3820] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00390600 .text C:\WINDOWS\explorer.exe[3820] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003901F8 .text C:\WINDOWS\explorer.exe[3820] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 003903FC .text C:\WINDOWS\explorer.exe[3820] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82] .text D:\Pobierane\OTL.exe[3892] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 001501F8 .text D:\Pobierane\OTL.exe[3892] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text D:\Pobierane\OTL.exe[3892] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 001503FC .text D:\Pobierane\OTL.exe[3892] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text D:\Pobierane\OTL.exe[3892] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01020804 .text D:\Pobierane\OTL.exe[3892] user32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 01020A08 .text D:\Pobierane\OTL.exe[3892] user32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 01020600 .text D:\Pobierane\OTL.exe[3892] user32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 010201F8 .text D:\Pobierane\OTL.exe[3892] user32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 010203FC .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00EF1014 .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00EF0804 .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00EF0A08 .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00EF0C0C .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00EF0E10 .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00EF01F8 .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00EF03FC .text D:\Pobierane\OTL.exe[3892] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00EF0600 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 001501F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 001503FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00811014 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00810804 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00810A08 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00810C0C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00810E10 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 008101F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 008103FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00810600 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00820804 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 1067C453 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 1067C3E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1043BACC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00820A08 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00820600 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 008201F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 008203FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4040] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 1043C0F9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00630002 IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00630000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1372] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[1512] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 BTOWSVF.sys (Toolwiz TimeFreeze/Toolwiz.com) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 BTOWSVF.sys (Toolwiz TimeFreeze/Toolwiz.com) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 BTOWSVF.sys (Toolwiz TimeFreeze/Toolwiz.com) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) ---- Files - GMER 1.0.15 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-1993962763-1563985344-1606980848-1003 0 bytes File C:\avast! sandbox\S-1-5-21-1993962763-1563985344-1606980848-1003\webStorage 0 bytes File C:\avast! sandbox\S-1-5-21-1993962763-1563985344-1606980848-1003\webStorage\C 0 bytes File C:\avast! sandbox\S-1-5-21-1993962763-1563985344-1606980848-1003\webStorage\snx_fs.dat 180 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG 1024 bytes ---- EOF - GMER 1.0.15 ----