GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-13 11:23:41 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHT2040AT rev.0022 Running: gmer.exe; Driver: C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\kwpdrpod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xEE896DF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEE923A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xEE89785E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xEE8C3D5D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xEE89C2E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xEE89C330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xEE89C422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xEE8C3711] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xEE89C252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xEE89C374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xEE89C29A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xEE89C3DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xEE896E44] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xEE8C4423] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xEE8C46D9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xEE8999A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEE8C428E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEE8C40F9] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEE923B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xEE896AD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xEE896E90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xEE899D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xEE897B02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xEE89C30E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xEE89C352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xEE89C446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xEE8C3A6D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xEE89C278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xEE899518] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xEE89C3AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xEE89C2C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xEE89974C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xEE89C400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEE923CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xEE8C3F74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xEE8979CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xEE8C3DC6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEE92DB68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xEE8C2D84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xEE896EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xEE896F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xEE896B46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xEE896CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xEE8C452A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xEE896C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xEE896D5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0xEE923D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xEE896F74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0xEE923BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEE939D92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntoskrnl.exe!ObInsertObject 805648A3 5 Bytes JMP EE93874C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056A5DC 4 Bytes CALL EE89819F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 805885D3 7 Bytes JMP EE939D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A2BF9 5 Bytes JMP EE936C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) init C:\WINDOWS\system32\drivers\o2mmb.sys entry point in "init" section [0xF7258320] .text win32k.sys!EngFreeUserMem + 674 BF80BA4F 5 Bytes JMP EE89B180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + E5A BF80C235 5 Bytes JMP EE89B07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF810175 5 Bytes JMP EE89B036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D0 BF81C0A3 5 Bytes JMP EE89A724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 92C BF827A40 5 Bytes JMP EE899F84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + D80 BF83331E 5 Bytes JMP EE89B2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 7717 BF839CB5 5 Bytes JMP EE89B4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 112EA BF843888 5 Bytes JMP EE899E66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 5509 BF849B03 5 Bytes JMP EE89A104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 6882 BF84AE7C 5 Bytes JMP EE89A70C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTextOut + 1437 BF854BF4 5 Bytes JMP EE89AF3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1036 BF857AD0 5 Bytes JMP EE89B232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStrokePath + 62A3 BF87FFC9 5 Bytes JMP EE89A384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStrokePath + 632C BF880052 5 Bytes JMP EE89A562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStrokePath + 70B0 BF880DD6 5 Bytes JMP EE899E4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStrokePath + 77A9 BF8814CF 5 Bytes JMP EE89A73C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreatePalette + 245E BF884C65 5 Bytes JMP EE89B450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_hGetColorTransform + AFDD BF89F83F 5 Bytes JMP EE89A51C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8BCD44 5 Bytes JMP EE89A7FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 4E4C BF8CEEE3 5 Bytes JMP EE899D52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + A434 BF8DAA77 5 Bytes JMP EE89B0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!FONTOBJ_pxoGetXform + 77D BF8FAF04 5 Bytes JMP EE899FF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 4768 BF907C6D 5 Bytes JMP EE89A7E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 58C BF908B12 5 Bytes JMP EE89A1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 80C BF908D92 5 Bytes JMP EE89A2E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1993 BF911AD9 5 Bytes JMP EE899F22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2567 BF9126AD 5 Bytes JMP EE89A0B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4EC1 BF915007 5 Bytes JMP EE89A67C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 191E BF94290C 5 Bytes JMP EE89B3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\alg.exe[144] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\alg.exe[144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[144] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\alg.exe[144] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[144] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\alg.exe[144] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\alg.exe[144] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\alg.exe[144] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\alg.exe[144] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 00301014 .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 00300C0C .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 00300E10 .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\alg.exe[144] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\wscntfy.exe[204] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\wscntfy.exe[204] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[204] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\wscntfy.exe[204] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[204] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\wscntfy.exe[204] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\wscntfy.exe[204] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00310804 .text C:\WINDOWS\system32\wscntfy.exe[204] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00310A08 .text C:\WINDOWS\system32\wscntfy.exe[204] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 00321014 .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 00320804 .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 00320A08 .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 00320C0C .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 00320E10 .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003201F8 .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003203FC .text C:\WINDOWS\system32\wscntfy.exe[204] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 00320600 .text C:\Program Files\Alwil Software\Avast5\avastUI.exe[392] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\avastUI.exe[392] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[400] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\ctfmon.exe[444] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8 .text C:\WINDOWS\system32\ctfmon.exe[444] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[444] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\ctfmon.exe[444] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 00371014 .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 00370804 .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 00370A08 .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 00370C0C .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 00370E10 .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003701F8 .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003703FC .text C:\WINDOWS\system32\ctfmon.exe[444] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 00370600 .text C:\WINDOWS\system32\ctfmon.exe[444] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003801F8 .text C:\WINDOWS\system32\ctfmon.exe[444] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003803FC .text C:\WINDOWS\system32\ctfmon.exe[444] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00380804 .text C:\WINDOWS\system32\ctfmon.exe[444] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00380A08 .text C:\WINDOWS\system32\ctfmon.exe[444] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00380600 .text C:\WINDOWS\System32\smss.exe[672] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[724] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[724] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[748] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8 .text C:\WINDOWS\system32\winlogon.exe[748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[748] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC .text C:\WINDOWS\system32\winlogon.exe[748] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\winlogon.exe[748] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\winlogon.exe[748] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\winlogon.exe[748] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\winlogon.exe[748] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\winlogon.exe[748] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\winlogon.exe[748] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\services.exe[792] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\services.exe[792] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[792] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\services.exe[792] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\services.exe[792] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\services.exe[792] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\services.exe[792] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\services.exe[792] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\services.exe[792] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\services.exe[792] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[804] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\lsass.exe[804] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\lsass.exe[804] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\lsass.exe[804] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[1072] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[1072] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[1072] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[1072] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[1072] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000801F8 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000803FC .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 00311014 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 00310804 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 00310A08 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 00310C0C .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 00310E10 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003101F8 .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003103FC .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1092] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 00310600 .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[1312] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1312] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1312] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1312] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1312] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1376] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\Explorer.EXE[1384] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\Explorer.EXE[1384] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1384] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\Explorer.EXE[1384] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 00301014 .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 00300804 .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 00300A08 .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 00300C0C .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 00300E10 .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003001F8 .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003003FC .text C:\WINDOWS\Explorer.EXE[1384] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 00300600 .text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003101F8 .text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003103FC .text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00310804 .text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00310A08 .text C:\WINDOWS\Explorer.EXE[1384] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00310600 .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1532] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1532] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1532] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1588] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\spoolsv.exe[1588] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1588] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\spoolsv.exe[1588] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 003D1014 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 003D0804 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 003D0A08 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 003D0C0C .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 003D0E10 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003D01F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003D03FC .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 003D0600 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003E01F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003E03FC .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 003E0804 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 003E0A08 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 003E0600 .text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\system32\svchost.exe[1744] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 .text C:\WINDOWS\system32\wuauclt.exe[1960] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8 .text C:\WINDOWS\system32\wuauclt.exe[1960] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1960] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\wuauclt.exe[1960] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1960] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003701F8 .text C:\WINDOWS\system32\wuauclt.exe[1960] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003703FC .text C:\WINDOWS\system32\wuauclt.exe[1960] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00370804 .text C:\WINDOWS\system32\wuauclt.exe[1960] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00370A08 .text C:\WINDOWS\system32\wuauclt.exe[1960] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00370600 .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 00381014 .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 00380804 .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 00380A08 .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 00380C0C .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 00380E10 .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 003801F8 .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 003803FC .text C:\WINDOWS\system32\wuauclt.exe[1960] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 00380600 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001601F8 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001603FC .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 3 Bytes JMP 009B1014 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E26BE5 1 Byte [88] .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 009B0804 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 009B0A08 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 009B0C0C .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 009B0E10 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 009B01F8 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 009B03FC .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 009B0600 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 00AC01F8 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 00AC03FC .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00AC0804 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00AC0A08 .text C:\Documents and Settings\Właściciel\Moje dokumenty\Downloads\gmer\gmer.exe[2376] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00AC0600 .text C:\WINDOWS\System32\svchost.exe[3232] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8 .text C:\WINDOWS\System32\svchost.exe[3232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[3232] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC .text C:\WINDOWS\System32\svchost.exe[3232] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!SetServiceObjectSecurity 77E26BE1 5 Bytes JMP 002F1014 .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 5 Bytes JMP 002F0804 .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 5 Bytes JMP 002F0A08 .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 5 Bytes JMP 002F0C0C .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 5 Bytes JMP 002F0E10 .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!CreateServiceA 77E27071 5 Bytes JMP 002F01F8 .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!CreateServiceW 77E27209 5 Bytes JMP 002F03FC .text C:\WINDOWS\System32\svchost.exe[3232] ADVAPI32.dll!DeleteService 77E27311 5 Bytes JMP 002F0600 .text C:\WINDOWS\System32\svchost.exe[3232] USER32.dll!SetWinEventHook 77D5E3D3 5 Bytes JMP 003001F8 .text C:\WINDOWS\System32\svchost.exe[3232] USER32.dll!UnhookWinEvent 77D5E544 5 Bytes JMP 003003FC .text C:\WINDOWS\System32\svchost.exe[3232] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00300804 .text C:\WINDOWS\System32\svchost.exe[3232] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00300A08 .text C:\WINDOWS\System32\svchost.exe[3232] USER32.dll!SetWindowsHookExA 77D602B2 5 Bytes JMP 00300600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Alwil Software\Avast5\avastUI.exe[392] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\WINDOWS\system32\services.exe[792] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00620002 IAT C:\WINDOWS\system32\services.exe[792] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00620000 IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1532] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x22 0x95 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x22 0x95 0x80 ... ---- EOF - GMER 1.0.15 ----