GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-13 13:57:12
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-22RKKA0 rev.80.00A80 931,51GB
Running: 3y6ej5pd.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys


---- User code sections - GMER 2.1 ----

.text  C:\Windows\system32\wininit.exe[652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                               00000000776beecd 1 byte [62]
.text  C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\system32\winlogon.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                               00000000776beecd 1 byte [62]
.text  C:\Windows\system32\nvvsvc.exe[968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                00000000776beecd 1 byte [62]
.text  C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                           0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[992] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                  0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                         00000000770f1465 2 bytes [0F, 77]
.text  C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                        00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Windows\System32\svchost.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                               00000000776beecd 1 byte [62]
.text  C:\Windows\System32\svchost.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                               00000000776beecd 1 byte [62]
.text  C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\system32\AUDIODG.EXE[1144] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\system32\svchost.exe[1256] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                     00000000776beecd 1 byte [62]
.text  C:\Windows\system32\nvvsvc.exe[1356] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                               00000000776beecd 1 byte [62]
.text  C:\Windows\Explorer.EXE[1520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                      00000000776beecd 1 byte [62]
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                         00000000778a3b10 5 bytes JMP 000000010022075c
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                           00000000778a7ac0 5 bytes JMP 00000001002203a4
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                              00000000778d1430 5 bytes JMP 0000000100220b14
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                                  00000000778d1490 5 bytes JMP 0000000100220ecc
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                   00000000778d1570 5 bytes JMP 000000010022163c
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                               00000000778d17b0 5 bytes JMP 0000000100221284
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                   00000000778d27e0 5 bytes JMP 00000001002219f4
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                           000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                               000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                               000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                              000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                              000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                                     000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                                     000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\System32\spoolsv.exe[1032] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                      000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                         00000000778a3b10 5 bytes JMP 00000001003c075c
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                           00000000778a7ac0 5 bytes JMP 00000001003c03a4
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                              00000000778d1430 5 bytes JMP 00000001003c0b14
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                                  00000000778d1490 5 bytes JMP 00000001003c0ecc
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                   00000000778d1570 5 bytes JMP 00000001003c163c
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                               00000000778d17b0 5 bytes JMP 00000001003c1284
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                   00000000778d27e0 5 bytes JMP 00000001003c19f4
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                              00000000776beecd 1 byte [62]
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                           000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                               000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                               000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                              000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                              000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                                     000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                                     000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                      000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                        00000000778a3b10 5 bytes JMP 000000010011075c
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                          00000000778a7ac0 5 bytes JMP 00000001001103a4
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                             00000000778d1430 5 bytes JMP 0000000100110b14
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                                 00000000778d1490 5 bytes JMP 0000000100110ecc
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                  00000000778d1570 5 bytes JMP 000000010011163c
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                              00000000778d17b0 5 bytes JMP 0000000100111284
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                  00000000778d27e0 5 bytes JMP 00000001001119f4
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                             00000000776beecd 1 byte [62]
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                          000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                              000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                              000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                             000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                             000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                                    000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                                    000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\system32\taskhost.exe[1400] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                     000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                     0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                         0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                  0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                     0000000076e2a2ba 1 byte [62]
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\USER32.dll!SetWinEventHook                            0000000076b3ee09 5 bytes JMP 00000001001401f8
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                             0000000076b43982 5 bytes JMP 00000001001403fc
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                          0000000076b47603 5 bytes JMP 0000000100140804
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                          0000000076b4835c 5 bytes JMP 0000000100140600
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                            0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                        0000000076b5f52b 5 bytes JMP 0000000100140a08
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                  0000000076dd5181 5 bytes JMP 0000000100151014
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                      0000000076dd5254 5 bytes JMP 0000000100150804
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                      0000000076dd53d5 5 bytes JMP 0000000100150a08
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                     0000000076dd54c2 5 bytes JMP 0000000100150c0c
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                     0000000076dd55e2 5 bytes JMP 0000000100150e10
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                            0000000076dd567c 5 bytes JMP 00000001001501f8
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                            0000000076dd589f 5 bytes JMP 00000001001503fc
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\SysWOW64\sechost.dll!DeleteService                             0000000076dd5a22 5 bytes JMP 0000000100150600
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                   00000000770f1465 2 bytes [0F, 77]
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                  00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                             0000000077a7fac0 5 bytes JMP 0000000100140600
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                                 0000000077a7fb58 5 bytes JMP 0000000100140804
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  0000000077a7fcb0 5 bytes JMP 0000000100140c0c
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              0000000077a80038 5 bytes JMP 0000000100140a08
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  0000000077a81920 5 bytes JMP 0000000100140e10
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                          0000000077a9c4dd 5 bytes JMP 00000001001401f8
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                        0000000077aa1287 5 bytes JMP 00000001001403fc
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                             0000000076e2a2ba 1 byte [62]
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                    0000000076b3ee09 5 bytes JMP 00000001001501f8
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                                     0000000076b43982 5 bytes JMP 00000001001503fc
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                  0000000076b47603 5 bytes JMP 0000000100150804
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                  0000000076b4835c 5 bytes JMP 0000000100150600
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                                    0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                                0000000076b5f52b 5 bytes JMP 0000000100150a08
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                          0000000076dd5181 5 bytes JMP 0000000100161014
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                              0000000076dd5254 5 bytes JMP 0000000100160804
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                              0000000076dd53d5 5 bytes JMP 0000000100160a08
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                             0000000076dd54c2 5 bytes JMP 0000000100160c0c
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                             0000000076dd55e2 5 bytes JMP 0000000100160e10
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                    0000000076dd567c 5 bytes JMP 00000001001601f8
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                    0000000076dd589f 5 bytes JMP 00000001001603fc
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                     0000000076dd5a22 5 bytes JMP 0000000100160600
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                           00000000770f1465 2 bytes [0F, 77]
.text  C:\Windows\SysWOW64\schtasks.exe[2152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                          00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                     0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                         0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                  0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                     0000000076e2a2ba 1 byte [62]
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\USER32.dll!SetWinEventHook                            0000000076b3ee09 5 bytes JMP 00000001001001f8
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                             0000000076b43982 5 bytes JMP 00000001001003fc
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                          0000000076b47603 5 bytes JMP 0000000100100804
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                          0000000076b4835c 5 bytes JMP 0000000100100600
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                            0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                        0000000076b5f52b 5 bytes JMP 0000000100100a08
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                  0000000076dd5181 5 bytes JMP 0000000100151014
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                      0000000076dd5254 5 bytes JMP 0000000100150804
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                      0000000076dd53d5 5 bytes JMP 0000000100150a08
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                     0000000076dd54c2 5 bytes JMP 0000000100150c0c
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                     0000000076dd55e2 5 bytes JMP 0000000100150e10
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                            0000000076dd567c 5 bytes JMP 00000001001501f8
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                            0000000076dd589f 5 bytes JMP 00000001001503fc
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\SysWOW64\sechost.dll!DeleteService                             0000000076dd5a22 5 bytes JMP 0000000100150600
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                   00000000770f1465 2 bytes [0F, 77]
.text  C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                  00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                             0000000077a7fac0 5 bytes JMP 0000000100230600
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                                 0000000077a7fb58 5 bytes JMP 0000000100230804
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  0000000077a7fcb0 5 bytes JMP 0000000100230c0c
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              0000000077a80038 5 bytes JMP 0000000100230a08
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  0000000077a81920 5 bytes JMP 0000000100230e10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                          0000000077a9c4dd 5 bytes JMP 00000001002301f8
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                        0000000077aa1287 5 bytes JMP 00000001002303fc
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                             0000000076e2a2ba 1 byte [62]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                    0000000076b3ee09 5 bytes JMP 00000001002401f8
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                                     0000000076b43982 5 bytes JMP 00000001002403fc
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                  0000000076b47603 5 bytes JMP 0000000100240804
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                  0000000076b4835c 5 bytes JMP 0000000100240600
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                                    0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                                0000000076b5f52b 5 bytes JMP 0000000100240a08
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                          0000000076dd5181 5 bytes JMP 0000000100251014
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                              0000000076dd5254 5 bytes JMP 0000000100250804
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                              0000000076dd53d5 5 bytes JMP 0000000100250a08
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                             0000000076dd54c2 5 bytes JMP 0000000100250c0c
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                             0000000076dd55e2 5 bytes JMP 0000000100250e10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                    0000000076dd567c 5 bytes JMP 00000001002501f8
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                    0000000076dd589f 5 bytes JMP 00000001002503fc
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                     0000000076dd5a22 5 bytes JMP 0000000100250600
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                                                  0000000072d91a22 2 bytes [D9, 72]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                                                  0000000072d91ad0 2 bytes [D9, 72]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                                                  0000000072d91b08 2 bytes [D9, 72]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                                                                  0000000072d91bba 2 bytes [D9, 72]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 754                                                                                  0000000072d91bd2 2 bytes CALL 75069a10 c:\progra~3\bitguard\261694~1.246\{c16c1~1\bitguard.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                           00000000770f1465 2 bytes [0F, 77]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                          00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                 00000000778a3b10 5 bytes JMP 000000010032075c
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                   00000000778a7ac0 5 bytes JMP 00000001003203a4
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                      00000000778d1430 5 bytes JMP 0000000100320b14
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                          00000000778d1490 5 bytes JMP 0000000100320ecc
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                           00000000778d1570 5 bytes JMP 000000010032163c
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                       00000000778d17b0 5 bytes JMP 0000000100321284
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                           00000000778d27e0 5 bytes JMP 00000001003219f4
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                      00000000776beecd 1 byte [62]
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                   000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                       000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                       000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                      000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                      000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                             000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                             000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2436] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                              000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                   00000000778a3b10 5 bytes JMP 00000001001f075c
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                     00000000778a7ac0 5 bytes JMP 00000001001f03a4
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                        00000000778d1430 5 bytes JMP 00000001001f0b14
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                            00000000778d1490 5 bytes JMP 00000001001f0ecc
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                             00000000778d1570 5 bytes JMP 00000001001f163c
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                         00000000778d17b0 5 bytes JMP 00000001001f1284
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                             00000000778d27e0 5 bytes JMP 00000001001f19f4
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                        00000000776beecd 1 byte [62]
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                     000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                         000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                         000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                        000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                        000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                               000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                               000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\system32\SearchIndexer.exe[2776] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                           000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                               000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                               000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                              000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                              000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                                     000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                                     000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                      000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                  000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                      000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                      000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                     000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                     000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                            000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                            000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2196] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                             000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                        00000000778a3b10 5 bytes JMP 00000001004b075c
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                          00000000778a7ac0 5 bytes JMP 00000001004b03a4
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                             00000000778d1430 5 bytes JMP 00000001004b0b14
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                 00000000778d1490 5 bytes JMP 00000001004b0ecc
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  00000000778d1570 5 bytes JMP 00000001004b163c
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                              00000000778d17b0 5 bytes JMP 00000001004b1284
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  00000000778d27e0 5 bytes JMP 00000001004b19f4
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                             00000000776beecd 1 byte [62]
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                          000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                              000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                              000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                             000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                             000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                    000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                    000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2828] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                     000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                          0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                              0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                               0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                           0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                               0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                       0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                     0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                          0000000076e2a2ba 1 byte [62]
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                       0000000076dd5181 5 bytes JMP 00000001003b1014
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                           0000000076dd5254 5 bytes JMP 00000001003b0804
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                           0000000076dd53d5 5 bytes JMP 00000001003b0a08
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                          0000000076dd54c2 5 bytes JMP 00000001003b0c0c
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                          0000000076dd55e2 5 bytes JMP 00000001003b0e10
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                 0000000076dd567c 5 bytes JMP 00000001003b01f8
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                 0000000076dd589f 5 bytes JMP 00000001003b03fc
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                  0000000076dd5a22 5 bytes JMP 00000001003b0600
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                 0000000076b3ee09 5 bytes JMP 00000001003c01f8
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                  0000000076b43982 5 bytes JMP 00000001003c03fc
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                               0000000076b47603 5 bytes JMP 00000001003c0804
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                               0000000076b4835c 5 bytes JMP 00000001003c0600
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                 0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                             0000000076b5f52b 5 bytes JMP 00000001003c0a08
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                        00000000770f1465 2 bytes [0F, 77]
.text  C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe[1064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                       00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                              0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                                  0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                   0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                               0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                   0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                           0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                         0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                              0000000076e2a2ba 1 byte [62]
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                     0000000076b3ee09 5 bytes JMP 00000001000a01f8
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                                      0000000076b43982 5 bytes JMP 00000001000a03fc
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                   0000000076b47603 5 bytes JMP 00000001000a0804
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                   0000000076b4835c 5 bytes JMP 00000001000a0600
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                                     0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                                 0000000076b5f52b 5 bytes JMP 00000001000a0a08
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                           0000000076dd5181 5 bytes JMP 00000001000b1014
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                               0000000076dd5254 5 bytes JMP 00000001000b0804
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                               0000000076dd53d5 5 bytes JMP 00000001000b0a08
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                              0000000076dd54c2 5 bytes JMP 00000001000b0c0c
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                              0000000076dd55e2 5 bytes JMP 00000001000b0e10
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                     0000000076dd567c 5 bytes JMP 00000001000b01f8
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                     0000000076dd589f 5 bytes JMP 00000001000b03fc
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                      0000000076dd5a22 5 bytes JMP 00000001000b0600
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                            00000000770f1465 2 bytes [0F, 77]
.text  C:\Windows\SysWOW64\rundll32.exe[576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                           00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                  00000000778a3b10 5 bytes JMP 00000001001e075c
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                    00000000778a7ac0 5 bytes JMP 00000001001e03a4
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                       00000000778d1430 5 bytes JMP 00000001001e0b14
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                           00000000778d1490 5 bytes JMP 00000001001e0ecc
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                            00000000778d1570 5 bytes JMP 00000001001e163c
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                        00000000778d17b0 5 bytes JMP 00000001001e1284
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                            00000000778d27e0 5 bytes JMP 00000001001e19f4
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                       00000000776beecd 1 byte [62]
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                    000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                        000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                        000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                       000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                       000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                              000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                              000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3292] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                               000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                     0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                         0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                          0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                      0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                          0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                  0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                     0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                            0000000076b3ee09 5 bytes JMP 00000001001401f8
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                             0000000076b43982 5 bytes JMP 00000001001403fc
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                          0000000076b47603 5 bytes JMP 0000000100140804
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                          0000000076b4835c 5 bytes JMP 0000000100140600
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                            0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                        0000000076b5f52b 5 bytes JMP 0000000100140a08
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                  0000000076dd5181 5 bytes JMP 0000000100151014
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                      0000000076dd5254 5 bytes JMP 0000000100150804
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                      0000000076dd53d5 5 bytes JMP 0000000100150a08
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                     0000000076dd54c2 5 bytes JMP 0000000100150c0c
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                     0000000076dd55e2 5 bytes JMP 0000000100150e10
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                            0000000076dd567c 5 bytes JMP 00000001001501f8
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                            0000000076dd589f 5 bytes JMP 00000001001503fc
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                             0000000076dd5a22 5 bytes JMP 0000000100150600
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                   00000000770f1465 2 bytes [0F, 77]
.text  C:\Program Files (x86)\Origin\Origin.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                  00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                        0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                            0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                             0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                         0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                             0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                     0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                   0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                        0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                               0000000076b3ee09 5 bytes JMP 00000001002401f8
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                0000000076b43982 5 bytes JMP 00000001002403fc
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                             0000000076b47603 5 bytes JMP 0000000100240804
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                             0000000076b4835c 5 bytes JMP 0000000100240600
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                               0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                           0000000076b5f52b 5 bytes JMP 0000000100240a08
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                     0000000076dd5181 5 bytes JMP 0000000100251014
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                         0000000076dd5254 5 bytes JMP 0000000100250804
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                         0000000076dd53d5 5 bytes JMP 0000000100250a08
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                        0000000076dd54c2 5 bytes JMP 0000000100250c0c
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                        0000000076dd55e2 5 bytes JMP 0000000100250e10
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                               0000000076dd567c 5 bytes JMP 00000001002501f8
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                               0000000076dd589f 5 bytes JMP 00000001002503fc
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                0000000076dd5a22 5 bytes JMP 0000000100250600
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                      00000000770f1465 2 bytes [0F, 77]
.text  C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                     00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                        0000000077a7fac0 5 bytes JMP 00000001002c0600
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                            0000000077a7fb58 5 bytes JMP 00000001002c0804
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                             0000000077a7fcb0 5 bytes JMP 00000001002c0c0c
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                         0000000077a80038 5 bytes JMP 00000001002c0a08
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                             0000000077a81920 5 bytes JMP 00000001002c0e10
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                     0000000077a9c4dd 5 bytes JMP 00000001002c01f8
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                   0000000077aa1287 5 bytes JMP 00000001002c03fc
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                        0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                               0000000076b3ee09 5 bytes JMP 00000001002d01f8
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                0000000076b43982 5 bytes JMP 00000001002d03fc
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                             0000000076b47603 5 bytes JMP 00000001002d0804
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                             0000000076b4835c 5 bytes JMP 00000001002d0600
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                               0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                           0000000076b5f52b 5 bytes JMP 00000001002d0a08
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                     0000000076dd5181 5 bytes JMP 00000001002e1014
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                         0000000076dd5254 5 bytes JMP 00000001002e0804
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                         0000000076dd53d5 5 bytes JMP 00000001002e0a08
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                        0000000076dd54c2 5 bytes JMP 00000001002e0c0c
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                        0000000076dd55e2 3 bytes JMP 00000001002e0e10
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 4                                                    0000000076dd55e6 1 byte [89]
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                               0000000076dd567c 5 bytes JMP 00000001002e01f8
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                               0000000076dd589f 5 bytes JMP 00000001002e03fc
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                0000000076dd5a22 5 bytes JMP 00000001002e0600
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                      00000000770f1465 2 bytes [0F, 77]
.text  C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                     00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory     0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory         0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess          0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory      0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread          0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                  0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112     0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\USER32.dll!SetWinEventHook            0000000076b3ee09 5 bytes JMP 00000001001001f8
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\USER32.dll!UnhookWinEvent             0000000076b43982 5 bytes JMP 00000001001003fc
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW          0000000076b47603 5 bytes JMP 0000000100100804
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA          0000000076b4835c 5 bytes JMP 0000000100100600
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\USER32.dll!DialogBoxParamW            0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx        0000000076b5f52b 5 bytes JMP 0000000100100a08
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity  0000000076dd5181 5 bytes JMP 0000000100111014
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA      0000000076dd5254 5 bytes JMP 0000000100110804
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW      0000000076dd53d5 5 bytes JMP 0000000100110a08
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A     0000000076dd54c2 5 bytes JMP 0000000100110c0c
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W     0000000076dd55e2 5 bytes JMP 0000000100110e10
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!CreateServiceA            0000000076dd567c 5 bytes JMP 00000001001101f8
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!CreateServiceW            0000000076dd589f 5 bytes JMP 00000001001103fc
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\SysWOW64\sechost.dll!DeleteService             0000000076dd5a22 5 bytes JMP 0000000100110600
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69   00000000770f1465 2 bytes [0F, 77]
.text  C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155  00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Program Files\AVAST Software\Avast\AvastUI.exe[3708] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                            0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                              0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                  0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                   0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                               0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                   0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                           0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                         0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                              0000000076e2a2ba 1 byte [62]
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                     0000000076b3ee09 5 bytes JMP 00000001002501f8
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                      0000000076b43982 5 bytes JMP 00000001002503fc
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                   0000000076b47603 5 bytes JMP 0000000100250804
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                   0000000076b4835c 5 bytes JMP 0000000100250600
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                     0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                 0000000076b5f52b 5 bytes JMP 0000000100250a08
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                           0000000076dd5181 5 bytes JMP 0000000100261014
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                               0000000076dd5254 5 bytes JMP 0000000100260804
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                               0000000076dd53d5 5 bytes JMP 0000000100260a08
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                              0000000076dd54c2 5 bytes JMP 0000000100260c0c
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                              0000000076dd55e2 5 bytes JMP 0000000100260e10
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                     0000000076dd567c 5 bytes JMP 00000001002601f8
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                     0000000076dd589f 5 bytes JMP 00000001002603fc
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                      0000000076dd5a22 5 bytes JMP 0000000100260600
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                            00000000770f1465 2 bytes [0F, 77]
.text  C:\Program Files (x86)\lg_fwupdate\fwupdate.exe[4036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                           00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                         00000000778a3b10 5 bytes JMP 000000010037075c
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                           00000000778a7ac0 5 bytes JMP 00000001003703a4
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                              00000000778d1430 5 bytes JMP 0000000100370b14
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                                  00000000778d1490 5 bytes JMP 0000000100370ecc
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                   00000000778d1570 5 bytes JMP 000000010037163c
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                               00000000778d17b0 5 bytes JMP 0000000100371284
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                   00000000778d27e0 5 bytes JMP 00000001003719f4
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                           000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                               000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                               000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                              000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                              000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                                     000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                                     000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\system32\taskeng.exe[3848] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                      000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                         00000000778a3b10 5 bytes JMP 00000001001e075c
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                           00000000778a7ac0 5 bytes JMP 00000001001e03a4
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                              00000000778d1430 5 bytes JMP 00000001001e0b14
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                                  00000000778d1490 5 bytes JMP 00000001001e0ecc
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                   00000000778d1570 5 bytes JMP 00000001001e163c
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                               00000000778d17b0 5 bytes JMP 00000001001e1284
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                   00000000778d27e0 5 bytes JMP 00000001001e19f4
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                           000007fefe456e00 5 bytes JMP 000007ff7e471dac
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                               000007fefe456f2c 5 bytes JMP 000007ff7e470ecc
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                               000007fefe457220 5 bytes JMP 000007ff7e471284
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                              000007fefe45739c 5 bytes JMP 000007ff7e47163c
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                              000007fefe457538 5 bytes JMP 000007ff7e4719f4
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                                     000007fefe4575e8 5 bytes JMP 000007ff7e4703a4
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                                     000007fefe45790c 5 bytes JMP 000007ff7e47075c
.text  C:\Windows\system32\taskeng.exe[4424] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                                      000007fefe457ab4 5 bytes JMP 000007ff7e470b14
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                                         0000000077a7fac0 5 bytes JMP 0000000100030600
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                                             0000000077a7fb58 5 bytes JMP 0000000100030804
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                              0000000077a7fcb0 5 bytes JMP 0000000100030c0c
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                          0000000077a80038 5 bytes JMP 0000000100030a08
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                              0000000077a81920 5 bytes JMP 0000000100030e10
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                                      0000000077a9c4dd 5 bytes JMP 00000001000301f8
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                    0000000077aa1287 5 bytes JMP 00000001000303fc
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                                         0000000076e2a2ba 1 byte [62]
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                      0000000076dd5181 5 bytes JMP 0000000100241014
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                          0000000076dd5254 5 bytes JMP 0000000100240804
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                          0000000076dd53d5 5 bytes JMP 0000000100240a08
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                         0000000076dd54c2 5 bytes JMP 0000000100240c0c
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                         0000000076dd55e2 5 bytes JMP 0000000100240e10
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                0000000076dd567c 5 bytes JMP 00000001002401f8
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                0000000076dd589f 5 bytes JMP 00000001002403fc
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                 0000000076dd5a22 5 bytes JMP 0000000100240600
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                0000000076b3ee09 5 bytes JMP 00000001002501f8
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                                 0000000076b43982 5 bytes JMP 00000001002503fc
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                              0000000076b47603 5 bytes JMP 0000000100250804
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                              0000000076b4835c 5 bytes JMP 0000000100250600
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\USER32.dll!DialogBoxParamW                                                                                0000000076b5cfca 5 bytes JMP 00000001750646b0
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                                            0000000076b5f52b 5 bytes JMP 0000000100250a08
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                       00000000770f1465 2 bytes [0F, 77]
.text  C:\Users\user\Downloads\3y6ej5pd.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                      00000000770f14bb 2 bytes [0F, 77]
.text  ...                                                                                                                                                                      * 2

---- Registry - GMER 2.1 ----

Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type                                                                                                                     2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start                                                                                                                    2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl                                                                                                             1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName                                                                                                              aswFsBlk
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group                                                                                                                    FSFilter Activity Monitor
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService                                                                                                          FltMgr?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description                                                                                                              avast! mini-filter driver (aswFsBlk)
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag                                                                                                                      2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances                                                                                                                
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance                                                                                                aswFsBlk Instance
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance                                                                                              
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude                                                                                     388400
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags                                                                                        0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk                                                                                                                          
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type                                                                                                                    2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start                                                                                                                   2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl                                                                                                            1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath                                                                                                               \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName                                                                                                             aswMonFlt
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group                                                                                                                   FSFilter Anti-Virus
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService                                                                                                         FltMgr?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description                                                                                                             avast! mini-filter driver (aswMonFlt)
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances                                                                                                               
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance                                                                                               aswMonFlt Instance
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance                                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                                   320700
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                                      0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt                                                                                                                         
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath                                                                                                                  \SystemRoot\System32\Drivers\aswrdr2.sys
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type                                                                                                                       1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start                                                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl                                                                                                               1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName                                                                                                                aswRdr
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group                                                                                                                      PNP_TDI
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService                                                                                                            tcpip?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description                                                                                                                avast! WFP Redirect driver
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters                                                                                                                 
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                                              
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                                              nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr                                                                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type                                                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start                                                                                                                     0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl                                                                                                              1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName                                                                                                               aswRvrt
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description                                                                                                               avast! Revert
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters                                                                                                                
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter                                                                                                    40
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter                                                                                                    623055
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot                                                                                                     \Device\Harddisk0\Partition2\Windows
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown                                                                                               1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt                                                                                                                           
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type                                                                                                                       2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start                                                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl                                                                                                               1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName                                                                                                                aswSnx
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group                                                                                                                      FSFilter Virtualization
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService                                                                                                            FltMgr?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description                                                                                                                avast! virtualization driver (aswSnx)
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag                                                                                                                        2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances                                                                                                                  
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance                                                                                                  aswSnx Instance
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance                                                                                                  
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                                         137600
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags                                                                                            0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters                                                                                                                 
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder                                                                                                   \DosDevices\C:\Program Files\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder                                                                                                      \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx                                                                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type                                                                                                                        1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start                                                                                                                       1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl                                                                                                                1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName                                                                                                                 aswSP
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description                                                                                                                 avast! Self Protection
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters                                                                                                                  
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield                                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder                                                                                                    \DosDevices\C:\Program Files\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder                                                                                                       \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder                                                                                               \DosDevices\C:\Program Files
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder                                                                                                     \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP                                                                                                                             
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type                                                                                                                       1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start                                                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl                                                                                                               1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName                                                                                                                avast! Network Shield Support
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group                                                                                                                      PNP_TDI
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService                                                                                                            tcpip?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description                                                                                                                avast! Network Shield TDI driver
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag                                                                                                                        11
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi                                                                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type                                                                                                                       1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start                                                                                                                      0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl                                                                                                               1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName                                                                                                                aswVmm
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description                                                                                                                avast! VM Monitor
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters                                                                                                                 
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm                                                                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type                                                                                                             32
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start                                                                                                            2
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl                                                                                                     1
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath                                                                                                        "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName                                                                                                      avast! Antivirus
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group                                                                                                            ShellSvcGroup
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService                                                                                                  aswMonFlt?RpcSS?
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64                                                                                                            1
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName                                                                                                       LocalSystem
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType                                                                                                   1
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description                                                                                                      Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?.
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus                                                                                                                  
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                                                                                         
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                                   0x3B 0xE1 0xF3 0x36 ...
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                                         
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                                      C:\Program Files (x86)\DAEMON Tools Lite\
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                      0x00 0x00 0x00 0x00 ...
Reg    HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                      0
Reg    HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Object List                                                                                                  48926 48932 48942 48952 48972 49016 49026 49064 49070 49086
Reg    HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Last Counter                                                                                                 49092
Reg    HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Last Help                                                                                                    49093
Reg    HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@First Counter                                                                                                48926
Reg    HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@First Help                                                                                                   48927
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type                                                                                                                         2
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start                                                                                                                        2
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl                                                                                                                 1
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName                                                                                                                  aswFsBlk
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group                                                                                                                        FSFilter Activity Monitor
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService                                                                                                              FltMgr?
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description                                                                                                                  avast! mini-filter driver (aswFsBlk)
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag                                                                                                                          2
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)                                                                                            
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance                                                                                                    aswFsBlk Instance
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)                                                                          
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude                                                                                         388400
Reg    HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags                                                                                            0
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type                                                                                                                        2
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start                                                                                                                       2
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl                                                                                                                1
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath                                                                                                                   \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName                                                                                                                 aswMonFlt
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group                                                                                                                       FSFilter Anti-Virus
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService                                                                                                             FltMgr?
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description                                                                                                                 avast! mini-filter driver (aswMonFlt)
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)                                                                                           
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance                                                                                                   aswMonFlt Instance
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)                                                                        
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                                       320700
Reg    HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                                          0
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath                                                                                                                      \SystemRoot\System32\Drivers\aswrdr2.sys
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@Type                                                                                                                           1
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@Start                                                                                                                          1
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl                                                                                                                   1
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName                                                                                                                    aswRdr
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@Group                                                                                                                          PNP_TDI
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService                                                                                                                tcpip?
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr@Description                                                                                                                    avast! WFP Redirect driver
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)                                                                                             
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                                                  
Reg    HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                                                  nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type                                                                                                                          1
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start                                                                                                                         0
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl                                                                                                                  1
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName                                                                                                                   aswRvrt
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description                                                                                                                   avast! Revert
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)                                                                                            
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter                                                                                                        40
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter                                                                                                        623055
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot                                                                                                         \Device\Harddisk0\Partition2\Windows
Reg    HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown                                                                                                   1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@Type                                                                                                                           2
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@Start                                                                                                                          1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl                                                                                                                   1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName                                                                                                                    aswSnx
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@Group                                                                                                                          FSFilter Virtualization
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService                                                                                                                FltMgr?
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@Description                                                                                                                    avast! virtualization driver (aswSnx)
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag                                                                                                                            2
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)                                                                                              
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance                                                                                                      aswSnx Instance
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)                                                                              
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                                             137600
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags                                                                                                0
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)                                                                                             
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder                                                                                                       \DosDevices\C:\Program Files\AVAST Software\Avast
Reg    HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder                                                                                                          \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP@Type                                                                                                                            1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP@Start                                                                                                                           1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl                                                                                                                    1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName                                                                                                                     aswSP
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP@Description                                                                                                                     avast! Self Protection
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)                                                                                              
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield                                                                                                          1
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder                                                                                                        \DosDevices\C:\Program Files\AVAST Software\Avast
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder                                                                                                           \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder                                                                                                   \DosDevices\C:\Program Files
Reg    HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder                                                                                                         \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@Type                                                                                                                           1
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@Start                                                                                                                          1
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl                                                                                                                   1
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName                                                                                                                    avast! Network Shield Support
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@Group                                                                                                                          PNP_TDI
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService                                                                                                                tcpip?
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@Description                                                                                                                    avast! Network Shield TDI driver
Reg    HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag                                                                                                                            11
Reg    HKLM\SYSTEM\ControlSet002\services\aswVmm@Type                                                                                                                           1
Reg    HKLM\SYSTEM\ControlSet002\services\aswVmm@Start                                                                                                                          0
Reg    HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl                                                                                                                   1
Reg    HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName                                                                                                                    aswVmm
Reg    HKLM\SYSTEM\ControlSet002\services\aswVmm@Description                                                                                                                    avast! VM Monitor
Reg    HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)                                                                                             
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type                                                                                                                 32
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start                                                                                                                2
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl                                                                                                         1
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath                                                                                                            "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName                                                                                                          avast! Antivirus
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group                                                                                                                ShellSvcGroup
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService                                                                                                      aswMonFlt?RpcSS?
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64                                                                                                                1
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName                                                                                                           LocalSystem
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType                                                                                                       1
Reg    HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description                                                                                                          Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?.
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                                                                     
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                                                                          1
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                                                                       0x3B 0xE1 0xF3 0x36 ...
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                                     
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                                          C:\Program Files (x86)\DAEMON Tools Lite\
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                          0x00 0x00 0x00 0x00 ...
Reg    HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                          0

---- EOF - GMER 2.1 ----
