Qvo6 - jak usunąć

**Posty:** 5 · przez **Laytenek** 29 Cze 2013, 11:46

Witam.

Niedawno w moich przeglądarkach na stronach głównych zamiast google zaczęło się pojawiać Qvo6. Od razu się zorientowałem, że coś jest nie tak, ponieważ nie dało się w narzędziach ustawić strony startowej na google. Z tego co doczytałem jest to jakieś oprogramowanie szpiegowskie, które nic dobrego na komputerze nie przynosi. Poradziłem się kilku osób oraz ściągnąłem ADW Cleaner. Kliknąłem usuń, wszystko przebiegło zgodnie z procedurą i już zamiast strony Qvo6 na start pojawia się normalna - Mozilla Firefox. Jednak nadal mam pewne obawy z tym związane, czy to na pewno zostało usunięte z mojego komputera i mogę czuć się bezpiecznie? Wyrzuciłem wszystkie Babylony, delty itd syfy, usunąłem wszystkie pliki związane z Qvo6. Przeskanowałem komputer we wszystkich możliwych miejscach. Poza tym może rzecz z moim problemem zupełnie nie związana, po wpisaniu tytułu na YT najpierw pojawia się kilka filmów w żółtym tle, które są reklamami, a później wyniki wyszukiwania( wcześniej pojawiały się od razu filmy ).. Czy to może być spowodowane tym? Dodam jeszcze, że usunąłem z komputera Google Chrome jeśli na coś to się przyda.

Czy może mi ktoś w tej sprawie pomóc, ewentualnie napisać co zrobić, żebym miał całkowitą pewność, że to Qv06 zniknęło z komputera i mogę czuć się bezpiecznie zwiedzając internet? Przepraszam za taką chaotyczną treść tematu, jestem zupełnie zielony w tych sprawach.

#EDIT.

Pobrałem ponownie przeglądarkę Google Chrome, są w niej jakieś ślady QVo6, np. chciałem ustawić strone startowa na google i dało mi do wyboru, onety, itd pierdoły, było tam Qvo6.

Jak ten syf usunąć...

**Posty:** 12734 · przez **Mikou@j** 29 Cze 2013, 12:12

Brak wymagany logów wszystko-o-logach-aktualizacja-30-01-2012-vt117887.html

**Posty:** 5 · przez **Laytenek** 29 Cze 2013, 14:45

Kod: Zaznacz wszystko: GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-29 14:15:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD10EARX-00N0YB0 rev.51.0AB51 931,51GB Running: xz0537l3.exe; Driver: C:\Users\AdMiN\AppData\Local\Temp\uwrdakob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002df4000 46 bytes [20, 48, 0B, C2, 48, 8B, E8, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002df402f 5 bytes [00, E8, 1B, FC, EE] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 000000014a630460 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 000000014a630450 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 000000014a630370 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 000000014a630470 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 000000014a6303e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 000000014a630320 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 000000014a6303b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 000000014a630390 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 000000014a6302e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 000000014a6302d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 000000014a630310 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 000000014a6303c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 000000014a6303f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 000000014a630230 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0xffffffffd2c1e890} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 000000014a630480 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 000000014a6303a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 000000014a6302f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 000000014a630350 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 000000014a630290 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 000000014a6302b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 000000014a6303d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 000000014a630330 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0xffffffffd2c1e590} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 000000014a630410 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 000000014a630240 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 000000014a6301e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 000000014a630250 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0xffffffffd2c1e090} .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 000000014a630490 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 000000014a6304a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 000000014a630300 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 000000014a630360 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 000000014a6302a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 000000014a6302c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 000000014a630380 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 000000014a630340 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 000000014a630440 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 000000014a630260 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 000000014a630270 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 000000014a630400 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 000000014a6301f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 000000014a630210 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 000000014a630200 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 000000014a630420 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 000000014a630430 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 000000014a630220 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 000000014a630280 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 000000014a630460 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 000000014a630450 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 000000014a630370 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 000000014a630470 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 000000014a6303e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 000000014a630320 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 000000014a6303b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 000000014a630390 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 000000014a6302e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 000000014a6302d0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 000000014a630310 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 000000014a6303c0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 000000014a6303f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 000000014a630230 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0xffffffffd2c1e890} .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 000000014a630480 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 000000014a6303a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 000000014a6302f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 000000014a630350 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 000000014a630290 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 000000014a6302b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 000000014a6303d0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 000000014a630330 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0xffffffffd2c1e590} .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 000000014a630410 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 000000014a630240 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 000000014a6301e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 000000014a630250 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0xffffffffd2c1e090} .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 000000014a630490 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 000000014a6304a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 000000014a630300 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 000000014a630360 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 000000014a6302a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 000000014a6302c0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 000000014a630380 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 000000014a630340 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 000000014a630440 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 000000014a630260 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 000000014a630270 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 000000014a630400 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 000000014a6301f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 000000014a630210 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 000000014a630200 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 000000014a630420 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 000000014a630430 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 000000014a630220 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 000000014a630280 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0xffffffff8865e890} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0xffffffff8865e590} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0xffffffff8865e090} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\System32\svchost.exe[376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\svchost.exe[416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0xffffffff8865e890} .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0xffffffff8865e590} .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0xffffffff8865e090} .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\AUDIODG.EXE[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\Explorer.EXE[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\Explorer.EXE[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1608] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\System32\spoolsv.exe[1776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\svchost.exe[1816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\taskhost.exe[1908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000100070230 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0xffffffff8865e890} .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000100070330 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0xffffffff8865e590} .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000100070250 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0xffffffff8865e090} .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[2000] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 0000000077b703e0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 0000000077b70400 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2460] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2460] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[2624] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[2624] C:\Windows\syswow64\USER32.dll!EndPaint 0000000076b01341 5 bytes JMP 0000000102069250 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[2624] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000076b01361 5 bytes JMP 00000001020691e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779e3ae0 5 bytes JMP 00000001001f075c .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779e7a90 5 bytes JMP 00000001001f03a4 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a11490 5 bytes JMP 00000001001f0b14 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a114f0 5 bytes JMP 00000001001f0ecc .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 00000001001f163c .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a11810 5 bytes JMP 00000001001f1284 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 00000001001f19f4 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4c6e00 5 bytes JMP 000007ff7f4e1dac .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4c6f2c 5 bytes JMP 000007ff7f4e0ecc .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4c7220 5 bytes JMP 000007ff7f4e1284 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4c739c 5 bytes JMP 000007ff7f4e163c .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4c7538 5 bytes JMP 000007ff7f4e19f4 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4c75e8 5 bytes JMP 000007ff7f4e03a4 .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4c790c 5 bytes JMP 000007ff7f4e075c .text C:\Windows\system32\SearchIndexer.exe[2816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4c7ab4 5 bytes JMP 000007ff7f4e0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779e3ae0 5 bytes JMP 00000001001e075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779e7a90 5 bytes JMP 00000001001e03a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a11490 5 bytes JMP 00000001001e0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a114f0 5 bytes JMP 00000001001e0ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 00000001001e163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a11810 5 bytes JMP 00000001001e1284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 00000001001e19f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3392] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779e3ae0 5 bytes JMP 00000001002e075c .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779e7a90 5 bytes JMP 00000001002e03a4 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a11490 5 bytes JMP 00000001002e0b14 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a114f0 5 bytes JMP 00000001002e0ecc .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 00000001002e163c .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a11810 5 bytes JMP 00000001002e1284 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 00000001002e19f4 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779e3ae0 5 bytes JMP 000000010029075c .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779e7a90 5 bytes JMP 00000001002903a4 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a11490 5 bytes JMP 0000000100290b14 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a114f0 5 bytes JMP 0000000100290ecc .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 000000010029163c .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a11810 5 bytes JMP 0000000100291284 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 00000001002919f4 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\System32\svchost.exe[3940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779e3ae0 5 bytes JMP 000000010033075c .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779e7a90 5 bytes JMP 00000001003303a4 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a113c0 5 bytes JMP 0000000077b70460 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a11410 5 bytes JMP 0000000077b70450 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a11490 5 bytes JMP 0000000100330b14 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a114f0 5 bytes JMP 0000000100330ecc .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a11570 5 bytes JMP 0000000077b70370 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a115c0 5 bytes JMP 0000000077b70470 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a115d0 5 bytes JMP 000000010033163c .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a11680 5 bytes JMP 0000000077b70320 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a116b0 5 bytes JMP 0000000077b703b0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a116d0 5 bytes JMP 0000000077b70390 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a11710 5 bytes JMP 0000000077b702e0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a11790 5 bytes JMP 0000000077b702d0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a117b0 5 bytes JMP 0000000077b70310 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a117f0 5 bytes JMP 0000000077b703c0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a11810 5 bytes JMP 0000000100331284 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a11840 5 bytes JMP 0000000077b703f0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a119a0 1 byte JMP 0000000077b70230 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a11b60 5 bytes JMP 0000000077b70480 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a11b90 5 bytes JMP 0000000077b703a0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a11c70 5 bytes JMP 0000000077b702f0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a11c80 5 bytes JMP 0000000077b70350 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a11ce0 5 bytes JMP 0000000077b70290 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a11d70 5 bytes JMP 0000000077b702b0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a11d90 5 bytes JMP 0000000077b703d0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a11da0 1 byte JMP 0000000077b70330 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a11e10 5 bytes JMP 0000000077b70410 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a11e40 5 bytes JMP 0000000077b70240 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a12100 5 bytes JMP 0000000077b701e0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a121c0 1 byte JMP 0000000077b70250 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a121f0 5 bytes JMP 0000000077b70490 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a12200 5 bytes JMP 0000000077b704a0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a12230 5 bytes JMP 0000000077b70300 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a12240 5 bytes JMP 0000000077b70360 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a122a0 5 bytes JMP 0000000077b702a0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a122f0 5 bytes JMP 0000000077b702c0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a12320 5 bytes JMP 0000000077b70380 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a12330 5 bytes JMP 0000000077b70340 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a12620 5 bytes JMP 0000000077b70440 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a12820 5 bytes JMP 0000000077b70260 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a12830 5 bytes JMP 0000000077b70270 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a12840 5 bytes JMP 00000001003319f4 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a12a00 5 bytes JMP 0000000077b701f0 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a12a10 5 bytes JMP 0000000077b70210 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a12a80 5 bytes JMP 0000000077b70200 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a12ae0 5 bytes JMP 0000000077b70420 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a12af0 5 bytes JMP 0000000077b70430 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a12b00 5 bytes JMP 0000000077b70220 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a12be0 5 bytes JMP 0000000077b70280 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000778feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4c6e00 5 bytes JMP 000007ff7f4e1dac .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4c6f2c 5 bytes JMP 000007ff7f4e0ecc .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4c7220 5 bytes JMP 000007ff7f4e1284 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4c739c 5 bytes JMP 000007ff7f4e163c .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4c7538 5 bytes JMP 000007ff7f4e19f4 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4c75e8 5 bytes JMP 000007ff7f4e03a4 .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4c790c 5 bytes JMP 000007ff7f4e075c .text C:\Windows\System32\svchost.exe[2144] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4c7ab4 5 bytes JMP 000007ff7f4e0b14 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bbfaa0 5 bytes JMP 00000001002d0600 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bbfb38 5 bytes JMP 00000001002d0804 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bbfc90 5 bytes JMP 00000001002d0c0c .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077bc0018 5 bytes JMP 00000001002d0a08 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077bc1900 5 bytes JMP 00000001002d0e10 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bdc45a 5 bytes JMP 00000001002d01f8 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077be1217 5 bytes JMP 00000001002d03fc .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 00000001002e1014 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 00000001002e0804 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 00000001002e0a08 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 00000001002e0c0c .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 00000001002e0e10 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001002e01f8 .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001002e03fc .text C:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[3284] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 00000001002e0600 .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bbfaa0 5 bytes JMP 0000000100030600 .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bbfb38 5 bytes JMP 0000000100030804 .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bbfc90 5 bytes JMP 0000000100030c0c .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077bc0018 5 bytes JMP 0000000100030a08 .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077bc1900 5 bytes JMP 0000000100030e10 .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bdc45a 5 bytes JMP 00000001000301f8 .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077be1217 5 bytes JMP 00000001000303fc .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe[4408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bbfaa0 5 bytes JMP 0000000100030600 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bbfb38 5 bytes JMP 0000000100030804 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bbfc90 5 bytes JMP 0000000100030c0c .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077bc0018 5 bytes JMP 0000000100030a08 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077bc1900 5 bytes JMP 0000000100030e10 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bdc45a 5 bytes JMP 00000001000301f8 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077be1217 5 bytes JMP 00000001000303fc .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee09 5 bytes JMP 00000001000a01f8 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076b03982 5 bytes JMP 00000001000a03fc .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b07603 5 bytes JMP 00000001000a0804 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b0835c 5 bytes JMP 00000001000a0600 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b1f52b 5 bytes JMP 00000001000a0a08 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 00000001000b1014 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 00000001000b0804 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 00000001000b0a08 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 00000001000b0c0c .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 00000001000b0e10 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001000b01f8 .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001000b03fc .text C:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe[5084] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077bc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077bc1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077be1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076b03982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b07603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b0835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b1f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 00000001001f1014 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 00000001001f0c0c .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 00000001001f0e10 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bbfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bbfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bbfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077bc0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077bc1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bdc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077be1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\KERNEL32.dll!SetUnhandledExceptionFilter 00000000771187b1 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 0000000100121014 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 0000000100120c0c .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 0000000100120e10 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee09 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076b03982 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b07603 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b0835c 5 bytes JMP 0000000100170600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[2352] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b1f52b 5 bytes JMP 0000000100170a08 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077bbfaa0 5 bytes JMP 0000000100030600 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077bbfb38 5 bytes JMP 0000000100030804 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bbfc90 5 bytes JMP 0000000100030c0c .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077bc0018 5 bytes JMP 0000000100030a08 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077bc1900 5 bytes JMP 0000000100030e10 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bdc45a 5 bytes JMP 00000001000301f8 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077be1217 5 bytes JMP 00000001000303fc .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007713a30a 1 byte [62] .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 0000000100241014 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 0000000100240804 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 0000000100240a08 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 0000000100240c0c .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 0000000100240e10 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001002401f8 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001002403fc .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 0000000100240600 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee09 5 bytes JMP 00000001002501f8 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076b03982 5 bytes JMP 00000001002503fc .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b07603 5 bytes JMP 0000000100250804 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b0835c 5 bytes JMP 0000000100250600 .text C:\Users\AdMiN\Downloads\xz0537l3.exe[5288] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b1f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1012:392] 000007fefc37f2f4 Thread C:\Windows\System32\svchost.exe [1012:1040] 000007fefc326204 Thread C:\Windows\System32\svchost.exe [1012:1260] 000007fefaf32070 Thread C:\Windows\System32\svchost.exe [1012:1276] 000007fefae35440 Thread C:\Windows\System32\svchost.exe [1012:3720] 000007fefb735fd0 Thread C:\Windows\System32\svchost.exe [1012:3980] 000007fefe27c608 Thread C:\Windows\System32\svchost.exe [1012:4680] 000007fef4d06b8c Thread C:\Windows\System32\svchost.exe [1012:4668] 000007fef4d01d88 Thread C:\Windows\System32\svchost.exe [376:1160] 000007fefaf9331c Thread C:\Windows\System32\svchost.exe [376:1188] 000007fefaf531f4 Thread C:\Windows\System32\svchost.exe [376:1352] 000007fefaa059a0 Thread C:\Windows\System32\svchost.exe [376:2376] 000007fef48014a0 Thread C:\Windows\System32\svchost.exe [376:4380] 000007fef64c44e0 Thread C:\Windows\System32\svchost.exe [376:4872] 000007fef1368a4c Thread C:\Windows\System32\svchost.exe [376:4916] 000007fef1323efc Thread C:\Windows\System32\svchost.exe [376:4708] 000007fef68988f8 Thread C:\Windows\system32\svchost.exe [416:3672] 000007fef170d3c8 Thread C:\Windows\system32\svchost.exe [416:3252] 000007fef170d3c8 Thread C:\Windows\system32\svchost.exe [416:3812] 000007fef170d3c8 Thread C:\Windows\system32\svchost.exe [416:3640] 000007fef170d3c8 Thread C:\Windows\system32\svchost.exe [388:5380] 000007fef4011ab0 Thread C:\Windows\system32\svchost.exe [1268:1308] 000007fefadf341c Thread C:\Windows\system32\svchost.exe [1268:1316] 000007fefadf3a2c Thread C:\Windows\system32\svchost.exe [1268:1320] 000007fefadf3768 Thread C:\Windows\system32\svchost.exe [1268:1324] 000007fefadf5c20 Thread C:\Windows\system32\svchost.exe [1268:1672] 000007fef68dbec4 Thread C:\Windows\system32\svchost.exe [1268:3936] 000007fef86f5170 Thread C:\Windows\system32\svchost.exe [1268:3400] 000007fef66f5124 Thread C:\Windows\system32\svchost.exe [1268:4476] 000007fefadf3900 Thread C:\Windows\System32\spoolsv.exe [1776:4876] 000007feef5810c8 Thread C:\Windows\System32\spoolsv.exe [1776:4880] 000007feef546144 Thread C:\Windows\System32\spoolsv.exe [1776:4884] 000007fefb735fd0 Thread C:\Windows\System32\spoolsv.exe [1776:4888] 000007feef523438 Thread C:\Windows\System32\spoolsv.exe [1776:4892] 000007fefb7363ec Thread C:\Windows\System32\spoolsv.exe [1776:4900] 000007fef14c5e5c Thread C:\Windows\System32\spoolsv.exe [1776:4904] 000007feef5b5074 Thread C:\Windows\system32\svchost.exe [1816:2032] 000007fef95835c0 Thread C:\Windows\system32\svchost.exe [1816:1640] 000007fef9585600 Thread C:\Windows\system32\svchost.exe [1816:2292] 000007fef3df2888 Thread C:\Windows\system32\svchost.exe [1816:564] 000007fef3de2940 Thread C:\Windows\system32\svchost.exe [1816:4260] 000007fef3df2a40 Thread C:\Windows\system32\taskhost.exe [1908:1936] 000007fef9642740 Thread C:\Windows\system32\taskhost.exe [1908:1956] 000007fef9631f38 Thread C:\Windows\system32\taskhost.exe [1908:2428] 000007fef4d21010 Thread C:\Windows\system32\taskhost.exe [1908:3860] 000007fef86f5170 Thread C:\Windows\system32\SearchIndexer.exe [2816:3616] 000007fef86f5170 Thread C:\Windows\system32\SearchIndexer.exe [2816:3900] 000007fef38469ac Thread C:\Windows\system32\SearchIndexer.exe [2816:3888] 000007fef3433dac Thread C:\Windows\system32\SearchIndexer.exe [2816:3884] 000007fef3431710 Thread C:\Windows\system32\SearchIndexer.exe [2816:3824] 000007fef345b278 Thread C:\Windows\system32\SearchIndexer.exe [2816:3384] 000007fef345c4dc Thread C:\Windows\system32\SearchIndexer.exe [2816:3656] 000007fef38469ac Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3392:3948] 000007feff270168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3392:2368] 000007fefbc32a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3392:3800] 000007feefaad618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3392:4324] 000007fef66f5124 Thread C:\Windows\system32\svchost.exe [3236:3532] 000007fef2138470 Thread C:\Windows\system32\svchost.exe [3236:2196] 000007fef2142418 Thread C:\Windows\system32\svchost.exe [3236:3652] 000007fefb735fd0 Thread C:\Windows\system32\svchost.exe [3236:3644] 000007fefb7363ec Thread C:\Windows\system32\svchost.exe [3236:4296] 000007feef8ef130 Thread C:\Windows\system32\svchost.exe [3236:4320] 000007feef8e4734 Thread C:\Windows\system32\svchost.exe [3236:1480] 000007feef8e4734 Thread C:\Windows\System32\svchost.exe [3940:4340] 000007fef86f5170 Thread C:\Windows\System32\svchost.exe [3940:6088] 000007fef66f9874 Thread C:\Windows\System32\svchost.exe [2144:4268] 000007fef17c9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 104 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1082314 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 104 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1082314 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----

Kod: Zaznacz wszystko: OTL Extras logfile created on: 2013-06-29 14:34:49 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\AdMiN\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16614) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 4,00 Gb Total Physical Memory | 1,39 Gb Available Physical Memory | 34,74% Memory free 8,00 Gb Paging File | 4,67 Gb Available in Paging File | 58,38% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 195,21 Gb Total Space | 112,41 Gb Free Space | 57,58% Space Free | Partition Type: NTFS Drive D: | 244,14 Gb Total Space | 243,72 Gb Free Space | 99,83% Space Free | Partition Type: NTFS Drive E: | 244,14 Gb Total Space | 243,74 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Drive F: | 247,92 Gb Total Space | 247,51 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Computer Name: ADMIN-KOMPUTER | User Name: AdMiN | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Extra Registry (SafeList) ==========[/color] [color=#E56717]========== File Associations ==========[/color] [b]64bit:[/b] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Opera.HTML] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) .html [@ = Opera.HTML] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" [HKEY_USERS\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Classes\<extension>] .html [@ = ChromeHTML.VMP3QPFVFOEAQAFGBQ6KLB4NSE] -- Reg Error: Key error. File not found [color=#E56717]========== Shell Spawning ==========[/color] [b]64bit:[/b] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1" http [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" https [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. htmlfile [edit] -- Reg Error: Key error. htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1" http [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" https [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error. [color=#E56717]========== Security Center Settings ==========[/color] [b]64bit:[/b] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [b]64bit:[/b] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [b]64bit:[/b] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [b]64bit:[/b] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] [color=#E56717]========== Firewall Settings ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [color=#E56717]========== Authorized Applications List ==========[/color] [color=#E56717]========== Vista Active Open Ports Exception List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0D84DDD7-D19F-4050-9050-56152611E00B}" = lport=57247 | protocol=17 | dir=in | name=pando media booster | "{0FB4CC84-1215-42FF-84DB-C92037003A5E}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{268F189F-9C4A-4DBB-BB47-9F34651757FC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{41E2D697-D91F-4BE5-80D1-AD0924869E6C}" = rport=138 | protocol=17 | dir=out | app=system | "{42E38980-C7CE-427E-BADB-3A5E77DE4A0A}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{46C7F155-CA6D-43B9-8483-FC1FCBE1403B}" = lport=57247 | protocol=6 | dir=in | name=pando media booster | "{4BCA1C50-6198-4A8C-9E18-C97C51C431CF}" = lport=445 | protocol=6 | dir=in | app=system | "{4BEFC85B-6B10-46B8-9966-F059EB1FF4EC}" = lport=57247 | protocol=6 | dir=in | name=pando media booster | "{626C3564-BCB0-4A27-A876-B8003BE5F45F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{6307AA13-6B36-4E1C-8D58-CCA310CD6635}" = lport=10243 | protocol=6 | dir=in | app=system | "{637D787D-B938-4692-91D5-AD0B209FFFC2}" = lport=57247 | protocol=17 | dir=in | name=pando media booster | "{7502E3EC-A9EE-47EF-9F10-9B9EE6156206}" = rport=139 | protocol=6 | dir=out | app=system | "{7DE69877-6982-47CC-BC7C-82BC51A34143}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{9ACB624B-6A78-4AB9-9D14-38140B2878B9}" = rport=137 | protocol=17 | dir=out | app=system | "{9EBC2419-1F20-4A1F-9D89-A1D387B2D497}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{9FA548C4-4E70-4C79-87AA-E719EB2F886E}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{A25D7097-64EC-4758-930A-81C652F5A883}" = lport=139 | protocol=6 | dir=in | app=system | "{B420D9A3-E2B5-4E1C-A2A5-1D7B8A6E442B}" = rport=445 | protocol=6 | dir=out | app=system | "{C1A48772-BF0D-475D-8F05-059CBA07B338}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{D10B71F9-4D88-4375-B0F2-3AE715CCD1E2}" = lport=138 | protocol=17 | dir=in | app=system | "{D594288A-397B-4107-B722-997B0399A08E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{D8C40D72-92EE-4A79-9762-3BF9114070C8}" = lport=2869 | protocol=6 | dir=in | app=system | "{DF5D5788-F57D-4FB2-B280-F06F00D459F0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{E2CBB68F-5268-40AE-9C88-0F08E5C80CDE}" = rport=10243 | protocol=6 | dir=out | app=system | "{E48945AE-3CD0-42E0-B982-1745378A1144}" = lport=137 | protocol=17 | dir=in | app=system | [color=#E56717]========== Vista Active Application Exception List ==========[/color] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0184ABA9-F483-49C6-8CCF-68021369775C}" = protocol=17 | dir=in | app=c:\windows\system32\dmwu.exe | "{0331CC30-704D-4BBA-BC5D-3066B5DB1D55}" = protocol=17 | dir=in | app=c:\program files (x86)\opera\opera.exe | "{0B93393D-BA77-46F7-A9C3-1E6E177DDFD6}" = protocol=6 | dir=in | app=c:\program files (x86)\battlelog web plugins\sonar\0.70.4\sonarhost.exe | "{0ED705A9-5F9F-4A66-BFAB-FA605F33C9F4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{12528BC2-A429-4951-AFCC-AFEE1E56A9BB}" = protocol=17 | dir=in | app=c:\windows\system32\dmwu.exe | "{182DEF03-969B-4784-905C-1AE4BF7DEA7A}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | "{1F70B39E-303C-467C-89C1-E3D89EE602FC}" = protocol=17 | dir=in | app=c:\windows\system32\arfc\wrtc.exe | "{27C0F8F2-7D54-4EE2-90BC-7362DE2DFBBD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{31195481-BCDB-45BD-B594-99C3797CCC30}" = protocol=6 | dir=in | app=c:\users\admin\downloads\sweetimsetup.exe | "{33F39748-4DD1-4C87-A4FE-34B8474440F5}" = protocol=6 | dir=in | app=c:\program files (x86)\origin games\battlefield 3\bf3.exe | "{35F14653-0A36-4DA8-A7EF-684AEA89C5C5}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | "{3BD3F379-501F-4195-B47B-4001AE973C81}" = protocol=6 | dir=in | app=c:\program files (x86)\opera\opera.exe | "{3C0D3267-F3AE-419B-8653-F4321347821C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{4C18DD58-E7E0-4607-9759-3FE4ACF3891C}" = protocol=6 | dir=in | app=c:\windows\system32\arfc\wrtc.exe | "{5244C161-7A6A-4E92-9BC7-1CEAD9448280}" = protocol=17 | dir=in | app=c:\windows\system32\arfc\wrtc.exe | "{5708C5E0-5A2E-4622-A76F-2672DCB19CF2}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{574D59F5-D174-44F1-999B-E739DF657F59}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{63F1B3A1-0238-43B4-AC99-35465C58614F}" = protocol=17 | dir=in | app=c:\users\admin\downloads\sweetimsetup.exe | "{644F6D34-F4B5-4388-9B62-ED109E6BF009}" = protocol=58 | dir=out | name=@iphlpsvc.dll,-503 | "{677A5F32-E6F5-4FFD-B255-FAAC97443656}" = protocol=6 | dir=in | app=c:\windows\syswow64\arfc\wrtc.exe | "{6B71EB1A-3C23-497E-A6D3-48186F76BD30}" = protocol=6 | dir=in | app=c:\windows\system32\dmwu.exe | "{797A6B1F-579E-4204-B856-BDEC1E0A3AE8}" = protocol=17 | dir=in | app=c:\windows\syswow64\arfc\wrtc.exe | "{79C6A852-4EC8-42AD-B118-30512034C545}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{812D1DD8-7BBC-4AC9-8460-1392A3818F49}" = protocol=6 | dir=in | app=c:\windows\system32\arfc\wrtc.exe | "{88733165-B84C-4473-AA96-50866E54BCC5}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | "{88A2A191-4223-44A4-8AE7-D362FE94CF8D}" = protocol=58 | dir=in | app=system | "{90AAE940-1A13-442D-8606-DB313595FFB5}" = protocol=17 | dir=in | app=c:\program files (x86)\origin games\battlefield 3\bf3.exe | "{986D4797-93D2-443E-B2A4-25BDF3059D75}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{A128B385-055C-4135-953B-8A0206532381}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{A597F31D-F1EA-409B-B662-F28868D6822B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | "{A5E8E9DF-DD0F-4A61-BA07-ADE7D785BFE2}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{AF606BD4-C9E6-4FD8-9C5C-4B2CAA296C9B}" = protocol=17 | dir=in | app=c:\windows\syswow64\arfc\wrtc.exe | "{B24D7767-6B84-49DA-A64D-43EB83CAD54B}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{B6646FDD-5B95-4EE8-B37D-9337121E2160}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | "{BA5ECBB5-2902-4BA1-964D-E479E47AB79D}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | "{BAD920F5-FB1B-4862-9C91-550279348440}" = protocol=6 | dir=out | app=system | "{BDDB2284-8C3B-4293-829F-858C8FDEA48A}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | "{C418411B-E0D3-46FA-A523-1888A8DBBC6E}" = protocol=6 | dir=in | app=c:\windows\syswow64\arfc\wrtc.exe | "{C9F89FF5-16C1-4FC6-9A73-DF8513B4ED9B}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{CDCA1860-A269-4EED-9F06-1AC461600D69}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{D05194A5-1C9C-4F4C-9A7F-188895855C1B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{D2FA07BE-CE38-4A86-BFC3-73D75B9EFBB7}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{D4582E96-9A45-4A3B-A3FE-BDBCD255A6F7}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{D654E2A8-E915-4131-B759-93A3C727ECCA}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | "{DB245ED0-A457-456A-BA56-695F27D8CA7C}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | "{E582835E-12D7-40E3-8F2C-424E0D0A8697}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{E5DC87FD-65C8-4165-A3DA-D393767CC66C}" = protocol=17 | dir=in | app=c:\program files (x86)\battlelog web plugins\sonar\0.70.4\sonarhost.exe | "{EE2A0615-EA19-4031-B117-9404085BD144}" = protocol=6 | dir=in | app=c:\windows\system32\dmwu.exe | "{F143128D-8AA0-4AE1-B201-47420A0B8C7E}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{F5DE3984-ACFD-48FF-8676-7AE0A28A2A5C}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | "{F968C0CD-0B84-44DB-AED5-406343D9F148}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | "TCP Query User{0A860122-0627-4D7D-8F6A-CECBABC021AC}C:\windows\syswow64\javaw.exe" = protocol=6 | dir=in | app=c:\windows\syswow64\javaw.exe | "TCP Query User{39590664-0E78-4289-8EDF-6A8FCFE3FBFA}C:\programdata\electronic arts\need for speed world\data\nfsw.exe" = protocol=6 | dir=in | app=c:\programdata\electronic arts\need for speed world\data\nfsw.exe | "TCP Query User{3CA32767-A851-4E1B-8507-65B2E58D0EBA}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe | "TCP Query User{4774F53D-D49F-4C60-95EA-1CB4ADAD43C5}C:\program files (x86)\metin2\metin2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\metin2\metin2.exe | "TCP Query User{4CC81BE4-6CD6-4CA8-866A-BD5EB8C521AA}C:\program files (x86)\ubisoft\gearbox software\brothersinarms\system\bia.exe" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\gearbox software\brothersinarms\system\bia.exe | "TCP Query User{77822528-9E92-46E8-99C9-E99417E3F119}C:\program files (x86)\gadu-gadu 10\gg.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gadu-gadu 10\gg.exe | "TCP Query User{88D3C022-A77E-4251-9F8B-93DAB1A8C7E9}C:\windows\syswow64\javaw.exe" = protocol=6 | dir=in | app=c:\windows\syswow64\javaw.exe | "TCP Query User{BD401CEF-E38B-4492-9407-7E929F706D3F}C:\games\world_of_tanks\worldoftanks.exe" = protocol=6 | dir=in | app=c:\games\world_of_tanks\worldoftanks.exe | "TCP Query User{C06F5A1C-1AC6-4732-8BD7-37261C31969A}C:\games\world_of_tanks\wotlauncher.exe" = protocol=6 | dir=in | app=c:\games\world_of_tanks\wotlauncher.exe | "TCP Query User{CD75A531-DDBB-44E3-B0AC-D92CEB212E1A}C:\program files (x86)\namco bandai games\warhammer® mark of chaos\warhammer.exe" = protocol=6 | dir=in | app=c:\program files (x86)\namco bandai games\warhammer® mark of chaos\warhammer.exe | "TCP Query User{D3751609-AE2F-4889-A039-72F92E59125F}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe | "TCP Query User{E1437518-BC61-4F66-B36A-28B3025FC075}C:\program files (x86)\gadu-gadu 10\gg.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gadu-gadu 10\gg.exe | "UDP Query User{21231641-B7FD-49C5-BCAF-9A842AC3400A}C:\programdata\electronic arts\need for speed world\data\nfsw.exe" = protocol=17 | dir=in | app=c:\programdata\electronic arts\need for speed world\data\nfsw.exe | "UDP Query User{2FAF7B6C-2419-4F3A-BF8A-74CF9274879E}C:\program files (x86)\gadu-gadu 10\gg.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gadu-gadu 10\gg.exe | "UDP Query User{3C2C5952-3935-4C38-9875-9566F68B5CED}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe | "UDP Query User{44C17905-F601-4D31-8CE6-7ACF4D8D39C6}C:\program files (x86)\gadu-gadu 10\gg.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gadu-gadu 10\gg.exe | "UDP Query User{4F49BB02-1D75-4B6A-A5A6-7EFB139B2DD8}C:\program files (x86)\metin2\metin2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\metin2\metin2.exe | "UDP Query User{56B70A7F-E8AC-4E5C-A18A-AC2950AFF34C}C:\games\world_of_tanks\worldoftanks.exe" = protocol=17 | dir=in | app=c:\games\world_of_tanks\worldoftanks.exe | "UDP Query User{57C28FF1-648C-451B-B96E-7DA3D81928BF}C:\games\world_of_tanks\wotlauncher.exe" = protocol=17 | dir=in | app=c:\games\world_of_tanks\wotlauncher.exe | "UDP Query User{79B1D3A1-BB1E-4E62-A35C-07D1434D18DC}C:\windows\syswow64\javaw.exe" = protocol=17 | dir=in | app=c:\windows\syswow64\javaw.exe | "UDP Query User{8AC8ABF5-412B-44A8-9155-AA6BCD39331D}C:\program files (x86)\ubisoft\gearbox software\brothersinarms\system\bia.exe" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\gearbox software\brothersinarms\system\bia.exe | "UDP Query User{A780E3E0-60DF-4913-BE7D-B11A0F985A3E}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe | "UDP Query User{AA1EFF5E-6BCB-49D1-894B-988388713DFF}C:\program files (x86)\namco bandai games\warhammer® mark of chaos\warhammer.exe" = protocol=17 | dir=in | app=c:\program files (x86)\namco bandai games\warhammer® mark of chaos\warhammer.exe | "UDP Query User{B052A4AC-5C41-47CD-BB2E-0967A43EB5F0}C:\windows\syswow64\javaw.exe" = protocol=17 | dir=in | app=c:\windows\syswow64\javaw.exe | [color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition) "{44E3AB6B-453B-8DAE-9777-1C48F5AB8965}" = AMD Catalyst Install Manager "{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 "{F809FFB5-6F9B-AFDE-6048-5D9E95A85505}" = AMD Drag and Drop Transcoding [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform "{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v1.5.2.3456 "{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29 "{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF017}" = Smite "{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}" = Hi-Rez Studios Authenticate and Update Service "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM "{64CB2553-C109-4132-AA51-1F421B515FD1}" = Microsoft .NET Framework 1.1 Polish Language Pack "{76285C16-411A-488A-BCE3-C83CB933D8CF}" = Battlefield 3™ "{7A2A107B-9695-423F-9462-8F17C178BD35}" = TP-LINK Wireless Client Utility "{7B2CC3DF-64FA-44AE-8F57-B0F915147E4F}_is1" = Need For Speed™ World "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7 "{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1045-7B44-AA1000000001}" = Adobe Reader X (10.1.7) - Polish "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8 "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.6 "AIMP3" = AIMP3 "Ashampoo Burning Studio 2010_is1" = Ashampoo Burning Studio 2010 "AV Voice Changer Software DIAMOND 7.0" = AV Voice Changer Software DIAMOND 7.0 "avast" = avast! Free Antivirus "Battlelog Web Plugins" = Battlelog Web Plugins "Fraps" = Fraps "Gadu-Gadu 10" = Gadu-Gadu 10 "InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platforma Menedżera urządzeń "KLiteCodecPack_is1" = K-Lite Codec Pack 7.8.4 (Full) "KYE" = ErgoMedia "Mozilla Firefox 21.0 (x86 pl)" = Mozilla Firefox 21.0 (x86 pl) "MozillaMaintenanceService" = Mozilla Maintenance Service "Odkurzacz 13.3_is1" = Odkurzacz "Origin" = Origin "QuicktimeAlt_is1" = QuickTime Alternative 3.2.2 "RealAlt_is1" = Real Alternative 2.0.2 "SpeedFan" = SpeedFan (remove only) "TeamSpeak 3 Client" = TeamSpeak 3 Client "WinGimp-2.0_is1" = GIMP 2.6.11 "WinRAR archiver" = WinRAR 4.01 (32-bitowy) "WinZipper" = WinZipper [color=#E56717]========== HKEY_USERS Uninstall List ==========[/color] [HKEY_USERS\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "FLV Player" = FLV Player "Google Chrome" = Google Chrome "UnityWebPlayer" = Unity Web Player [color=#E56717]========== Last 20 Event Log Errors ==========[/color] [ Application Events ] Error - 2013-05-18 05:41:25 | Computer Name = AdMiN-Komputer | Source = Application Hang | ID = 1002 Description = Program League of Legends.exe w wersji 3.7.0.328 zatrzymał interakcję z systemem Windows i został zamknięty. Aby zobaczyć, czy jest dostępnych więcej informacji dotyczących tego problemu, sprawdź historię problemu w panelu sterowania Centrum akcji. Identyfikator procesu: 1738 Godzina rozpoczęcia: 01ce53abb2152d27 Godzina zakończenia: 4 Ścieżka aplikacji: C:\Riot Games\League of Legends\RADS\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Identyfikator raportu: Error - 2013-05-18 05:47:04 | Computer Name = AdMiN-Komputer | Source = Application Hang | ID = 1002 Description = Program League of Legends.exe w wersji 3.7.0.328 zatrzymał interakcję z systemem Windows i został zamknięty. Aby zobaczyć, czy jest dostępnych więcej informacji dotyczących tego problemu, sprawdź historię problemu w panelu sterowania Centrum akcji. Identyfikator procesu: 1548 Godzina rozpoczęcia: 01ce53ac99c60e71 Godzina zakończenia: 7 Ścieżka aplikacji: C:\Riot Games\League of Legends\RADS\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Identyfikator raportu: Error - 2013-05-19 11:53:40 | Computer Name = AdMiN-Komputer | Source = Application Hang | ID = 1002 Description = Program League of Legends.exe w wersji 3.7.0.328 zatrzymał interakcję z systemem Windows i został zamknięty. Aby zobaczyć, czy jest dostępnych więcej informacji dotyczących tego problemu, sprawdź historię problemu w panelu sterowania Centrum akcji. Identyfikator procesu: 930 Godzina rozpoczęcia: 01ce54a8c8fe949f Godzina zakończenia: 5 Ścieżka aplikacji: C:\Riot Games\League of Legends\RADS\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Identyfikator raportu: Error - 2013-05-22 14:48:26 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: Skype.exe, wersja: 5.8.0.158, sygnatura czasowa: 0x4f4de709 Nazwa modułu powodującego błąd: Flash32_11_7_700_202.ocx, wersja: 11.7.700.202, sygnatura czasowa: 0x51801f91 Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x001fbe69 Identyfikator procesu powodującego błąd: 0x474 Godzina uruchomienia aplikacji powodującej błąd: 0x01ce57103cb8bcda Ścieżka aplikacji powodującej błąd: C:\Program Files (x86)\Skype\Phone\Skype.exe Ścieżka modułu powodującego błąd: C:\Windows\SysWOW64\Macromed\Flash\Flash32_11_7_700_202.ocx Identyfikator raportu: 2f06723b-c310-11e2-a647-002522a10757 Error - 2013-05-23 15:35:44 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: firefox.exe, wersja: 20.0.1.4847, sygnatura czasowa: 0x51650aee Nazwa modułu powodującego błąd: xul.dll, wersja: 20.0.1.4847, sygnatura czasowa: 0x51650a09 Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x000b10e8 Identyfikator procesu powodującego błąd: 0x12e8 Godzina uruchomienia aplikacji powodującej błąd: 0x01ce57c5a694756c Ścieżka aplikacji powodującej błąd: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Ścieżka modułu powodującego błąd: C:\Program Files (x86)\Mozilla Firefox\xul.dll Identyfikator raportu: f55a75e3-c3df-11e2-8468-002522a10757 Error - 2013-05-24 17:39:20 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: League of Legends.exe, wersja: 3.7.0.328, sygnatura czasowa: 0x5191aad8 Nazwa modułu powodującego błąd: ntdll.dll, wersja: 6.1.7601.17725, sygnatura czasowa: 0x4ec49b8f Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x0004ff2b Identyfikator procesu powodującego błąd: 0x538 Godzina uruchomienia aplikacji powodującej błąd: 0x01ce58c7247b063a Ścieżka aplikacji powodującej błąd: C:\Riot Games\League of Legends\rads\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Ścieżka modułu powodującego błąd: C:\Windows\SysWOW64\ntdll.dll Identyfikator raportu: 63e30778-c4ba-11e2-a52b-002522a10757 Error - 2013-05-24 17:39:24 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: League of Legends.exe, wersja: 3.7.0.328, sygnatura czasowa: 0x5191aad8 Nazwa modułu powodującego błąd: ntdll.dll, wersja: 6.1.7601.17725, sygnatura czasowa: 0x4ec49b8f Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x00037215 Identyfikator procesu powodującego błąd: 0xca0 Godzina uruchomienia aplikacji powodującej błąd: 0x01ce58c7285744f3 Ścieżka aplikacji powodującej błąd: C:\Riot Games\League of Legends\rads\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Ścieżka modułu powodującego błąd: C:\Windows\SysWOW64\ntdll.dll Identyfikator raportu: 667fcb15-c4ba-11e2-a52b-002522a10757 Error - 2013-05-24 17:39:29 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: League of Legends.exe, wersja: 3.7.0.328, sygnatura czasowa: 0x5191aad8 Nazwa modułu powodującego błąd: ntdll.dll, wersja: 6.1.7601.17725, sygnatura czasowa: 0x4ec49b8f Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x0004ff2b Identyfikator procesu powodującego błąd: 0x14bc Godzina uruchomienia aplikacji powodującej błąd: 0x01ce58c72b451884 Ścieżka aplikacji powodującej błąd: C:\Riot Games\League of Legends\rads\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Ścieżka modułu powodującego błąd: C:\Windows\SysWOW64\ntdll.dll Identyfikator raportu: 696ecfd3-c4ba-11e2-a52b-002522a10757 Error - 2013-05-24 17:41:27 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: League of Legends.exe, wersja: 3.7.0.328, sygnatura czasowa: 0x5191aad8 Nazwa modułu powodującego błąd: ntdll.dll, wersja: 6.1.7601.17725, sygnatura czasowa: 0x4ec49b8f Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x0004ff2b Identyfikator procesu powodującego błąd: 0x1384 Godzina uruchomienia aplikacji powodującej błąd: 0x01ce58c7714a98bd Ścieżka aplikacji powodującej błąd: C:\Riot Games\League of Legends\rads\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Ścieżka modułu powodującego błąd: C:\Windows\SysWOW64\ntdll.dll Identyfikator raportu: af71edb2-c4ba-11e2-a52b-002522a10757 Error - 2013-05-25 05:39:05 | Computer Name = AdMiN-Komputer | Source = Application Error | ID = 1000 Description = Nazwa aplikacji powodującej błąd: League of Legends.exe, wersja: 3.7.0.328, sygnatura czasowa: 0x5191aad8 Nazwa modułu powodującego błąd: ntdll.dll, wersja: 6.1.7601.17725, sygnatura czasowa: 0x4ec49b8f Kod wyjątku: 0xc0000005 Przesunięcie błędu: 0x00033792 Identyfikator procesu powodującego błąd: 0x13c8 Godzina uruchomienia aplikacji powodującej błąd: 0x01ce592bb03b34a8 Ścieżka aplikacji powodującej błąd: C:\Riot Games\League of Legends\rads\solutions\lol_game_client_sln\releases\0.0.0.232\deploy\League of Legends.exe Ścieżka modułu powodującego błąd: C:\Windows\SysWOW64\ntdll.dll Identyfikator raportu: f063bbc9-c51e-11e2-855b-002522a10757 [ System Events ] Error - 2013-06-28 12:39:54 | Computer Name = AdMiN-Komputer | Source = Service Control Manager | ID = 7009 Description = Upłynął limit czasu (30000 ms) podczas oczekiwania na połączenie się z usługą LogMeIn Hamachi Tunneling Engine. Error - 2013-06-28 12:39:54 | Computer Name = AdMiN-Komputer | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi LogMeIn Hamachi Tunneling Engine z powodu następującego błędu: %%1053 Error - 2013-06-28 12:41:21 | Computer Name = AdMiN-Komputer | Source = DCOM | ID = 10010 Description = Error - 2013-06-28 12:42:49 | Computer Name = AdMiN-Komputer | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000 Description = Uruchomienie modułu rozszerzalności sieci WLAN nie powiodło się. Ścieżka modułu: C:\Windows\system32\athExt.dll Kod błędu: 126 Error - 2013-06-28 12:43:20 | Computer Name = AdMiN-Komputer | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi Browser Manager z powodu następującego błędu: %%3 Error - 2013-06-28 13:20:46 | Computer Name = AdMiN-Komputer | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000 Description = Uruchomienie modułu rozszerzalności sieci WLAN nie powiodło się. Ścieżka modułu: C:\Windows\system32\athExt.dll Kod błędu: 126 Error - 2013-06-28 13:20:48 | Computer Name = AdMiN-Komputer | Source = Service Control Manager | ID = 7000 Description = Nie można uruchomić usługi Browser Manager z powodu następującego błędu: %%3 Error - 2013-06-28 13:21:19 | Computer Name = AdMiN-Komputer | Source = Service Control Manager | ID = 7009 Description = Upłynął limit czasu (30000 ms) podczas oczekiwania na połączenie się z usługą Hi-Rez Studios Authenticate and Update Service. Error - 2013-06-28 13:43:13 | Computer Name = AdMiN-Komputer | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000 Description = Uruchomienie modułu rozszerzalności sieci WLAN nie powiodło się. Ścieżka modułu: C:\Windows\system32\athExt.dll Kod błędu: 126 Error - 2013-06-29 05:24:16 | Computer Name = AdMiN-Komputer | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000 Description = Uruchomienie modułu rozszerzalności sieci WLAN nie powiodło się. Ścieżka modułu: C:\Windows\system32\athExt.dll Kod błędu: 126 < End of report >

Kod: Zaznacz wszystko: OTL logfile created on: 2013-06-29 14:34:49 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\AdMiN\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16614) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 4,00 Gb Total Physical Memory | 1,39 Gb Available Physical Memory | 34,74% Memory free 8,00 Gb Paging File | 4,67 Gb Available in Paging File | 58,38% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 195,21 Gb Total Space | 112,41 Gb Free Space | 57,58% Space Free | Partition Type: NTFS Drive D: | 244,14 Gb Total Space | 243,72 Gb Free Space | 99,83% Space Free | Partition Type: NTFS Drive E: | 244,14 Gb Total Space | 243,74 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Drive F: | 247,92 Gb Total Space | 247,51 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Computer Name: ADMIN-KOMPUTER | User Name: AdMiN | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2013-06-29 14:24:14 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\AdMiN\Downloads\OTL.com PRC - [2013-06-28 18:40:54 | 000,424,104 | ---- | M] (Taiwan Shui Mu Chih Ching Technology Limited.) -- C:\Program Files (x86)\WinZipper\winzipersvc.exe PRC - [2013-06-12 17:26:14 | 001,855,880 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe PRC - [2013-05-31 11:10:50 | 000,144,384 | ---- | M] (Adobe Systems Inc.) -- C:\Riot Games\League of Legends\rads\projects\lol_air_client\releases\0.0.1.30\deploy\LolClient.exe PRC - [2013-05-24 17:23:17 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2013-05-10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2013-05-09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe PRC - [2013-05-09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe PRC - [2013-03-06 20:44:20 | 009,403,880 | ---- | M] (TeamSpeak Systems GmbH) -- C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe PRC - [2012-05-29 15:49:32 | 002,686,976 | ---- | M] () -- C:\Riot Games\League of Legends\rads\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe PRC - [2012-05-29 11:46:02 | 001,300,376 | ---- | M] () -- C:\Riot Games\League of Legends\rads\system\rads_user_kernel.exe PRC - [2010-03-12 00:14:00 | 011,792,992 | ---- | M] (GG Network S.A.) -- C:\Program Files (x86)\Gadu-Gadu 10\gg.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] MOD - [2013-06-12 17:26:13 | 016,033,160 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll MOD - [2013-05-24 17:23:16 | 003,128,728 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2013-03-06 20:44:20 | 000,431,080 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\plugins\clientquery_plugin.dll MOD - [2013-03-06 20:44:20 | 000,236,008 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\soundbackends\windowsaudiosession_win32.dll MOD - [2013-03-06 20:44:20 | 000,230,376 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\soundbackends\directsound_win32.dll MOD - [2013-03-06 20:44:20 | 000,159,208 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\plugins\appscanner_plugin.dll MOD - [2012-05-29 15:49:32 | 002,686,976 | ---- | M] () -- C:\Riot Games\League of Legends\rads\projects\lol_launcher\releases\0.0.0.171\deploy\LoLLauncher.exe MOD - [2012-05-29 11:46:02 | 001,300,376 | ---- | M] () -- C:\Riot Games\League of Legends\rads\system\rads_user_kernel.exe MOD - [2011-03-18 17:51:44 | 000,195,584 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\imageformats\_old_qjpeg4.dll MOD - [2011-03-18 17:51:44 | 000,025,600 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\imageformats\_old_qgif4.dll MOD - [2010-03-12 00:16:12 | 000,217,696 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\gglog.dll MOD - [2010-03-12 00:16:10 | 000,123,488 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggipcradioproxy.dll MOD - [2010-03-12 00:16:08 | 000,017,504 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggipc.dll MOD - [2010-03-12 00:16:04 | 000,027,744 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggcrypto.dll MOD - [2010-03-12 00:16:02 | 000,356,960 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggcommon.dll MOD - [2010-03-11 11:05:22 | 008,806,400 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtGui4.dll MOD - [2010-02-26 07:02:52 | 002,400,256 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtCore4.dll MOD - [2010-02-26 07:02:52 | 001,511,424 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtScript4.dll MOD - [2010-02-26 07:02:52 | 001,036,288 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtNetwork4.dll MOD - [2010-02-26 07:02:52 | 000,389,120 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtXml4.dll MOD - [2010-02-26 07:02:52 | 000,323,584 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtSvg4.dll MOD - [2010-02-26 07:02:50 | 013,545,472 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtWebKit4.dll MOD - [2010-02-26 07:02:46 | 003,334,144 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtXmlPatterns4.dll MOD - [2010-02-26 07:02:10 | 000,311,296 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qtiff4.dll MOD - [2010-02-26 07:02:10 | 000,274,432 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qmng4.dll MOD - [2010-02-26 07:02:10 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qjpeg4.dll MOD - [2010-02-26 07:02:10 | 000,027,648 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qgif4.dll MOD - [2010-02-26 07:02:10 | 000,018,944 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qsvg4.dll MOD - [2010-02-17 17:33:22 | 000,059,904 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\zlib1.dll [color=#E56717]========== Services (SafeList) ==========[/color] SRV:[b]64bit:[/b] - [2013-05-09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV:[b]64bit:[/b] - [2011-09-08 19:29:56 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:[b]64bit:[/b] - [2009-07-14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:[b]64bit:[/b] - [2009-07-14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2013-06-28 18:40:54 | 000,424,104 | ---- | M] (Taiwan Shui Mu Chih Ching Technology Limited.) [Auto | Running] -- C:\Program Files (x86)\WinZipper\winzipersvc.exe -- (winzipersvc) SRV - [2013-06-12 17:26:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013-05-24 17:23:16 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013-05-10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2013-02-08 18:45:52 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Paused] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService) SRV - [2012-02-15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2009-06-10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 001,030,952 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 000,378,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 000,189,936 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,072,016 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,064,288 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:[b]64bit:[/b] - [2013-05-09 10:59:06 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:[b]64bit:[/b] - [2013-05-09 10:59:06 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:[b]64bit:[/b] - [2012-07-03 18:21:52 | 000,019,600 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswKbd.sys -- (aswKbd) DRV:[b]64bit:[/b] - [2012-03-01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:[b]64bit:[/b] - [2011-09-08 20:27:22 | 010,203,648 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:[b]64bit:[/b] - [2011-09-08 18:52:40 | 000,310,784 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:[b]64bit:[/b] - [2010-11-20 05:33:36 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:[b]64bit:[/b] - [2010-11-20 05:32:48 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:[b]64bit:[/b] - [2010-11-20 05:32:48 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:[b]64bit:[/b] - [2010-11-20 03:07:06 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:[b]64bit:[/b] - [2010-11-20 03:03:44 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:[b]64bit:[/b] - [2010-03-04 15:43:00 | 000,346,144 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:[b]64bit:[/b] - [2010-01-05 19:23:18 | 001,847,296 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athurx.sys -- (athur) DRV:[b]64bit:[/b] - [2009-11-25 15:06:02 | 001,276,928 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService) DRV:[b]64bit:[/b] - [2009-07-14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:[b]64bit:[/b] - [2009-07-14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:[b]64bit:[/b] - [2009-07-14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:[b]64bit:[/b] - [2009-06-10 22:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364) DRV:[b]64bit:[/b] - [2009-06-10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:[b]64bit:[/b] - [2009-06-10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:[b]64bit:[/b] - [2009-06-10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:[b]64bit:[/b] - [2009-06-10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:[b]64bit:[/b] - [2009-03-18 18:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi) DRV:[b]64bit:[/b] - [2008-12-26 12:56:04 | 000,021,504 | ---- | M] (Avnex) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vcsvad.sys -- (VCSVADHWSer) DRV - [2009-07-14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) [color=#E56717]========== Standard Registry (All) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0Fzz0DtCtCtCtC0A0EyByBzy0A0A0CtBtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=973264983 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0Fzz0DtCtCtCtC0A0EyByBzy0A0A0CtBtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=973264983 IE - HKLM\..\SearchScopes\{7784277D-53CB-5A00-1444-5027E0238AFB}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation) IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation) IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.pl/http://www.google.pl/ [binary data] IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation) IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\SearchScopes,Backup.Old.DefaultScope = {A5FB86C7-94DC-486B-A602-9E694914256B} IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\SearchScopes,DefaultScope = {7784277D-53CB-5A00-1444-5027E0238AFB} IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\SearchScopes\{7784277D-53CB-5A00-1444-5027E0238AFB}: "URL" = http://www.google.com/search?hl=pl&q={searchTerms}&rlz=1I7ADSA_plPL456 IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\SearchScopes\{A5FB86C7-94DC-486B-A602-9E694914256B}: "URL" = http://www.google.com/search?hl=pl&q={searchTerms}&rlz=1I7ADSA_plPL456 IE - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - user.js - File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.138.0: C:\Program Files (x86)\Battlelog Web Plugins\1.138.0\npesnlaunch.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\AdMiN\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\AdMiN\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\AdMiN\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-05-17 21:40:19 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012-11-01 23:25:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AdMiN\AppData\Roaming\mozilla\Extensions [2013-05-24 17:23:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013-05-24 17:23:09 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-05-24 17:23:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013-05-24 17:23:17 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [color=#E56717]========== Chrome ==========[/color] CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR - plugin: Shockwave Flash (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.138.0\npesnlaunch.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll CHR - plugin: Unity Player (Enabled) = C:\Users\AdMiN\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll CHR - Extension: Skype Click to Call = C:\Users\AdMiN\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\ O1 HOSTS File: ([2009-06-10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:[b]64bit:[/b] - BHO: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\ProgramData\Gadu-Gadu 10\_userdata\ggbho.2.dll (GG Network S.A.) O3:[b]64bit:[/b] - HKLM\..\Toolbar: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O4:[b]64bit:[/b] - HKLM..\Run: [VIAAUD] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe File not found O4 - HKLM..\Run: [Adobe ARM] C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA) O4 - HKLM..\Run: [mouseElf] C:\PROGRA~2\ERGOME~1\MouseElf.EXE () O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000..\Run: [Gadu-Gadu 10] C:\Program Files (x86)\Gadu-Gadu 10\gg.exe (GG Network S.A.) O4 - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000..\Run: [Google Update] C:\Users\AdMiN\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) O4 - HKU\S-1-5-21-3801769967-3764758835-2792484388-1000..\Run: [Skype] C:\Program Files (x86)\Skype\Phone\Skype.exe (Skype Technologies S.A.) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17 O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - C:\Windows\SysNative\nlaapi.dll (Microsoft Corporation) O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - C:\Windows\SysNative\NapiNSP.dll (Microsoft Corporation) O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation) O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries64\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation) O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation) O13[b]64bit:[/b] - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.179.1.61 62.179.1.60 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0DAE7950-74D4-41B4-B823-39DF3D77F917}: DhcpNameServer = 62.179.1.61 62.179.1.60 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{917837A2-A4F9-42FF-BC8C-3DAF76402372}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A798F599-1EFC-4937-804E-037290F7D528}: DhcpNameServer = 95.160.170.92 88.156.222.92 82.139.8.40 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EFD1AEBE-BB0A-466B-910E-FCFCD8A003F5}: DhcpNameServer = 192.168.0.1 O18:[b]64bit:[/b] - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation) O18:[b]64bit:[/b] - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation) O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation) O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O29:[b]64bit:[/b] - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation) O30:[b]64bit:[/b] - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation) O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation) O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\G\Shell - "" = AutoRun O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %* O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2013-06-28 18:46:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Odkurzacz [2013-06-28 18:46:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Odkurzacz [2013-06-28 18:40:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper [2013-06-28 18:40:55 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\WinZipper [2013-06-28 18:40:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZipper [2013-06-28 18:40:53 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Omiga Plus [2013-06-28 18:40:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Omiga Plus [2013-06-17 20:42:47 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Voice Changer Software DIAMOND [2013-06-17 20:41:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AV Vcs 7.0 DIAMOND [2013-06-17 20:13:24 | 000,000,000 | ---D | C] -- C:\AV_LOGS [2013-06-17 18:33:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ AV Vcs 7.0 DIAMOND [2013-06-17 15:23:03 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\Application Data [2013-06-17 15:22:42 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Local\CrashRpt [2013-06-17 15:22:23 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Systweak [2013-06-17 15:22:22 | 000,019,896 | ---- | C] (Systweak Inc., (www.systweak.com)) -- C:\Windows\SysNative\roboot64.exe [2013-06-17 15:08:53 | 000,021,504 | ---- | C] (Avnex) -- C:\Windows\SysNative\drivers\vcsvad.sys [2013-06-16 01:25:35 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013-06-16 01:25:35 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013-06-14 18:31:02 | 001,700,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gdiplus.dll [2013-06-14 18:31:02 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc71.dll [2013-06-14 18:30:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Gadu-Gadu 10 [2013-06-14 15:33:37 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Local\GG [2013-06-14 15:33:29 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\GG [2013-06-14 15:33:29 | 000,000,000 | ---D | C] -- C:\ProgramData\GG [2013-06-13 23:30:56 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2013-06-13 17:34:53 | 038,854,527 | ---- | C] (Edmund Mcmillen & Florian Himsl ) -- C:\Users\AdMiN\Desktop\Isaac.exe [2013-06-12 22:11:06 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2013-06-12 22:11:06 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2013-06-12 22:11:06 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2013-06-12 22:11:06 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2013-06-12 22:11:06 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2013-06-12 22:11:05 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll [2013-06-12 22:11:05 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll [2013-06-12 22:11:05 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe [2013-06-12 22:11:05 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe [2013-06-12 22:11:03 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013-06-12 22:11:03 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013-06-12 22:11:03 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013-06-12 22:11:02 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013-06-12 14:00:22 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll [2013-06-12 14:00:22 | 000,492,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll [2013-06-12 14:00:19 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll [2013-06-12 14:00:19 | 001,192,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certutil.exe [2013-06-12 14:00:19 | 000,903,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certutil.exe [2013-06-12 14:00:19 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll [2013-06-12 14:00:19 | 000,052,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certenc.dll [2013-06-12 14:00:19 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certenc.dll [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2013-06-29 14:26:00 | 000,000,930 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013-06-29 14:22:00 | 000,001,046 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013-06-29 14:21:00 | 000,001,058 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3801769967-3764758835-2792484388-1000UA.job [2013-06-29 14:16:24 | 000,367,745 | ---- | M] () -- C:\Users\AdMiN\Documents\gimer.rtf [2013-06-29 11:51:00 | 000,002,382 | ---- | M] () -- C:\Users\AdMiN\Desktop\Google Chrome.lnk [2013-06-29 11:34:35 | 000,010,416 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013-06-29 11:34:35 | 000,010,416 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013-06-29 11:24:49 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempNW2624.html [2013-06-29 11:24:49 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempdv2624.html [2013-06-29 11:24:17 | 000,001,042 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013-06-29 11:24:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013-06-29 11:23:08 | 3220,627,456 | -HS- | M] () -- C:\hiberfil.sys [2013-06-28 23:03:36 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempfd3300.html [2013-06-28 23:03:36 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempIP3300.html [2013-06-28 20:21:44 | 000,001,006 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3801769967-3764758835-2792484388-1000Core.job [2013-06-28 19:41:11 | 000,001,059 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013-06-28 19:22:21 | 000,035,999 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-28 19_22_18.167968.dmp [2013-06-28 18:46:38 | 000,001,069 | ---- | M] () -- C:\Users\AdMiN\Desktop\Odkurzacz.lnk [2013-06-28 18:40:53 | 000,773,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcr100.dll [2013-06-28 18:40:53 | 000,421,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcp100.dll [2013-06-27 21:15:19 | 001,030,952 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013-06-27 21:15:19 | 000,378,944 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013-06-27 21:15:19 | 000,189,936 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum [2013-06-25 21:45:05 | 000,185,638 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-25 21_45_02.485351.dmp [2013-06-20 19:50:08 | 000,002,677 | ---- | M] () -- C:\Users\AdMiN\.recently-used.xbel [2013-06-19 15:33:31 | 000,038,381 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-19 15_33_21.033203.dmp [2013-06-17 20:42:54 | 000,001,228 | ---- | M] () -- C:\Users\AdMiN\Desktop\Voice Changer 7.0 Diamond.lnk [2013-06-15 02:01:30 | 000,000,000 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-15 02_01_30.484375.dmp [2013-06-14 18:31:02 | 001,700,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\gdiplus.dll [2013-06-14 18:31:02 | 001,060,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc71.dll [2013-06-14 18:30:26 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Gadu-Gadu 10.lnk [2013-06-14 16:25:05 | 000,000,194 | ---- | M] () -- C:\Users\AdMiN\Documents\gjegje.rtf [2013-06-13 23:30:48 | 422,743,641 | ---- | M] () -- C:\Windows\MEMORY.DMP [2013-06-13 17:35:21 | 038,854,527 | ---- | M] (Edmund Mcmillen & Florian Himsl ) -- C:\Users\AdMiN\Desktop\Isaac.exe [2013-06-12 17:26:14 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013-06-12 17:26:14 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013-06-09 20:17:04 | 000,000,227 | ---- | M] () -- C:\Users\AdMiN\Documents\hasla.rtf [2013-06-08 16:06:58 | 000,526,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013-06-08 14:30:28 | 000,000,228 | ---- | M] () -- C:\Users\AdMiN\Documents\fksdfnosnfipojsojgnwpoigjnowiowjfowbfgiwjhiowg.rtf [2013-06-08 13:40:02 | 000,391,168 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013-06-06 19:13:01 | 000,000,307 | ---- | M] () -- C:\Users\AdMiN\Documents\ddddd.rtf [2013-06-01 11:09:45 | 000,001,928 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013-06-01 11:09:43 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt [color=#E56717]========== Files Created - No Company Name ==========[/color] [2013-06-29 14:16:24 | 000,367,745 | ---- | C] () -- C:\Users\AdMiN\Documents\gimer.rtf [2013-06-29 11:51:00 | 000,002,382 | ---- | C] () -- C:\Users\AdMiN\Desktop\Google Chrome.lnk [2013-06-29 11:24:49 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempNW2624.html [2013-06-29 11:24:49 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempdv2624.html [2013-06-28 19:45:20 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempfd3300.html [2013-06-28 19:45:20 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempIP3300.html [2013-06-28 19:22:18 | 000,035,999 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-28 19_22_18.167968.dmp [2013-06-28 18:46:37 | 000,001,069 | ---- | C] () -- C:\Users\AdMiN\Desktop\Odkurzacz.lnk [2013-06-27 21:15:19 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum [2013-06-27 09:51:40 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum [2013-06-27 09:51:40 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum [2013-06-25 21:45:02 | 000,185,638 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-25 21_45_02.485351.dmp [2013-06-20 19:50:08 | 000,002,677 | ---- | C] () -- C:\Users\AdMiN\.recently-used.xbel [2013-06-19 15:33:21 | 000,038,381 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-19 15_33_21.033203.dmp [2013-06-17 20:42:54 | 000,001,228 | ---- | C] () -- C:\Users\AdMiN\Desktop\Voice Changer 7.0 Diamond.lnk [2013-06-15 02:01:30 | 000,000,000 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-15 02_01_30.484375.dmp [2013-06-14 18:30:26 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Gadu-Gadu 10.lnk [2013-06-14 18:30:21 | 000,001,021 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gadu-Gadu 10.lnk [2013-06-14 16:25:04 | 000,000,194 | ---- | C] () -- C:\Users\AdMiN\Documents\gjegje.rtf [2013-06-13 23:30:48 | 422,743,641 | ---- | C] () -- C:\Windows\MEMORY.DMP [2013-06-09 20:17:04 | 000,000,227 | ---- | C] () -- C:\Users\AdMiN\Documents\hasla.rtf [2013-06-08 14:30:28 | 000,000,228 | ---- | C] () -- C:\Users\AdMiN\Documents\fksdfnosnfipojsojgnwpoigjnowiowjfowbfgiwjhiowg.rtf [2013-06-06 19:13:01 | 000,000,307 | ---- | C] () -- C:\Users\AdMiN\Documents\ddddd.rtf [2011-12-24 21:11:04 | 000,012,800 | ---- | C] () -- C:\Windows\SysWow64\drivers\gHidUsbF.sys [2011-12-24 21:11:04 | 000,007,808 | ---- | C] () -- C:\Windows\SysWow64\drivers\gflmouhid.sys [2011-12-11 17:20:21 | 001,575,648 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011-11-20 16:34:55 | 000,000,000 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\{10507D18-1E8C-489F-93FD-9B7211C0A28C} [2011-11-01 17:17:23 | 000,000,336 | ---- | C] () -- C:\Windows\game.ini [2011-10-21 18:05:19 | 000,650,752 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll [2011-10-21 18:05:19 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll [2011-10-21 18:05:19 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini [2011-10-21 18:05:18 | 000,074,752 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll [2011-10-21 17:47:37 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll [2011-10-21 17:12:15 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011-09-14 11:47:40 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [color=#E56717]========== ZeroAccess Check ==========[/color] [2009-07-14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013-02-27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013-02-27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009-07-14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-20 04:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009-07-14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report >

Tutaj są, prosze.

**Posty:** 18165 · przez **wojtas** 30 Cze 2013, 11:11

Użyj AdwCleaner i kliknij w nim Usuń (w przypadku Visty/Windows7 uruchom z prawokliku jako Administrator)
Pokaż raport z niego

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt

**Posty:** 5 · przez **Laytenek** 06 Lip 2013, 12:58

W ADWCleaner od razu mówię - wszystko było czysto

Natomiast tutaj logi z OTL:

Kod: Zaznacz wszystko: OTL logfile created on: 2013-07-06 12:52:29 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\AdMiN\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16614) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 4,00 Gb Total Physical Memory | 2,44 Gb Available Physical Memory | 61,07% Memory free 8,00 Gb Paging File | 6,33 Gb Available in Paging File | 79,16% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 195,21 Gb Total Space | 113,18 Gb Free Space | 57,98% Space Free | Partition Type: NTFS Drive D: | 244,14 Gb Total Space | 243,72 Gb Free Space | 99,83% Space Free | Partition Type: NTFS Drive E: | 244,14 Gb Total Space | 243,74 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Drive F: | 247,92 Gb Total Space | 247,51 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Computer Name: ADMIN-KOMPUTER | User Name: AdMiN | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2013-07-03 09:53:23 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2013-06-29 14:24:14 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\AdMiN\Downloads\OTL.com PRC - [2013-06-28 18:40:54 | 000,424,104 | ---- | M] (Taiwan Shui Mu Chih Ching Technology Limited.) -- C:\Program Files (x86)\WinZipper\winzipersvc.exe PRC - [2013-05-10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2013-05-09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe PRC - [2013-05-09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe PRC - [2013-03-06 20:44:20 | 009,403,880 | ---- | M] (TeamSpeak Systems GmbH) -- C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe PRC - [2010-03-12 00:14:00 | 011,792,992 | ---- | M] (GG Network S.A.) -- C:\Program Files (x86)\Gadu-Gadu 10\gg.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] MOD - [2013-07-03 09:53:22 | 003,285,912 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2013-06-12 17:26:13 | 016,033,160 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll MOD - [2013-03-06 20:44:20 | 000,431,080 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\plugins\clientquery_plugin.dll MOD - [2013-03-06 20:44:20 | 000,236,008 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\soundbackends\windowsaudiosession_win32.dll MOD - [2013-03-06 20:44:20 | 000,230,376 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\soundbackends\directsound_win32.dll MOD - [2013-03-06 20:44:20 | 000,159,208 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\plugins\appscanner_plugin.dll MOD - [2011-03-18 17:51:44 | 000,195,584 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\imageformats\_old_qjpeg4.dll MOD - [2011-03-18 17:51:44 | 000,025,600 | ---- | M] () -- C:\Program Files (x86)\TeamSpeak 3 Client\imageformats\_old_qgif4.dll MOD - [2010-03-12 00:16:12 | 000,217,696 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\gglog.dll MOD - [2010-03-12 00:16:10 | 000,123,488 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggipcradioproxy.dll MOD - [2010-03-12 00:16:08 | 000,017,504 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggipc.dll MOD - [2010-03-12 00:16:04 | 000,027,744 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggcrypto.dll MOD - [2010-03-12 00:16:02 | 000,356,960 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggcommon.dll MOD - [2010-03-11 11:05:22 | 008,806,400 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtGui4.dll MOD - [2010-02-26 07:02:52 | 002,400,256 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtCore4.dll MOD - [2010-02-26 07:02:52 | 001,511,424 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtScript4.dll MOD - [2010-02-26 07:02:52 | 001,036,288 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtNetwork4.dll MOD - [2010-02-26 07:02:52 | 000,389,120 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtXml4.dll MOD - [2010-02-26 07:02:52 | 000,323,584 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtSvg4.dll MOD - [2010-02-26 07:02:50 | 013,545,472 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtWebKit4.dll MOD - [2010-02-26 07:02:46 | 003,334,144 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtXmlPatterns4.dll MOD - [2010-02-26 07:02:10 | 000,311,296 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qtiff4.dll MOD - [2010-02-26 07:02:10 | 000,274,432 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qmng4.dll MOD - [2010-02-26 07:02:10 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qjpeg4.dll MOD - [2010-02-26 07:02:10 | 000,027,648 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qgif4.dll MOD - [2010-02-26 07:02:10 | 000,018,944 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qsvg4.dll MOD - [2010-02-17 17:33:22 | 000,059,904 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\zlib1.dll [color=#E56717]========== Services (SafeList) ==========[/color] SRV:[b]64bit:[/b] - [2013-05-09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV:[b]64bit:[/b] - [2011-09-08 19:29:56 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:[b]64bit:[/b] - [2009-07-14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:[b]64bit:[/b] - [2009-07-14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2013-07-03 09:53:22 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013-06-28 18:40:54 | 000,424,104 | ---- | M] (Taiwan Shui Mu Chih Ching Technology Limited.) [Auto | Running] -- C:\Program Files (x86)\WinZipper\winzipersvc.exe -- (winzipersvc) SRV - [2013-06-12 17:26:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013-05-10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2013-02-08 18:45:52 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Paused] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService) SRV - [2012-02-15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2009-06-10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 001,030,952 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 000,378,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 000,189,936 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,072,016 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,064,288 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:[b]64bit:[/b] - [2013-05-09 10:59:06 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:[b]64bit:[/b] - [2013-05-09 10:59:06 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:[b]64bit:[/b] - [2012-07-03 18:21:52 | 000,019,600 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswKbd.sys -- (aswKbd) DRV:[b]64bit:[/b] - [2012-03-01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:[b]64bit:[/b] - [2011-09-08 20:27:22 | 010,203,648 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:[b]64bit:[/b] - [2011-09-08 18:52:40 | 000,310,784 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:[b]64bit:[/b] - [2010-11-20 05:33:36 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:[b]64bit:[/b] - [2010-11-20 05:32:48 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:[b]64bit:[/b] - [2010-11-20 05:32:48 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:[b]64bit:[/b] - [2010-11-20 03:07:06 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:[b]64bit:[/b] - [2010-11-20 03:03:44 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:[b]64bit:[/b] - [2010-03-04 15:43:00 | 000,346,144 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:[b]64bit:[/b] - [2010-01-05 19:23:18 | 001,847,296 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athurx.sys -- (athur) DRV:[b]64bit:[/b] - [2009-11-25 15:06:02 | 001,276,928 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService) DRV:[b]64bit:[/b] - [2009-07-14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:[b]64bit:[/b] - [2009-07-14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:[b]64bit:[/b] - [2009-07-14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:[b]64bit:[/b] - [2009-06-10 22:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364) DRV:[b]64bit:[/b] - [2009-06-10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:[b]64bit:[/b] - [2009-06-10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:[b]64bit:[/b] - [2009-06-10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:[b]64bit:[/b] - [2009-06-10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:[b]64bit:[/b] - [2009-03-18 18:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi) DRV:[b]64bit:[/b] - [2008-12-26 12:56:04 | 000,021,504 | ---- | M] (Avnex) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vcsvad.sys -- (VCSVADHWSer) DRV - [2009-07-14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0Fzz0DtCtCtCtC0A0EyByBzy0A0A0CtBtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=973264983 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0Fzz0DtCtCtCtC0A0EyByBzy0A0A0CtBtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=973264983 IE - HKLM\..\SearchScopes\{7784277D-53CB-5A00-1444-5027E0238AFB}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.pl/http://www.google.pl/ [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {A5FB86C7-94DC-486B-A602-9E694914256B} IE - HKCU\..\SearchScopes,DefaultScope = IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKCU\..\SearchScopes\{7784277D-53CB-5A00-1444-5027E0238AFB}: "URL" = http://www.google.com/search?hl=pl&q={searchTerms}&rlz=1I7ADSA_plPL456 IE - HKCU\..\SearchScopes\{A5FB86C7-94DC-486B-A602-9E694914256B}: "URL" = http://www.google.com/search?hl=pl&q={searchTerms}&rlz=1I7ADSA_plPL456 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:8.0.1489 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0 FF - user.js - File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.138.0: C:\Program Files (x86)\Battlelog Web Plugins\1.138.0\npesnlaunch.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\AdMiN\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\AdMiN\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\AdMiN\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-05-17 21:40:19 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012-11-01 23:25:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AdMiN\AppData\Roaming\mozilla\Extensions [2013-07-03 09:53:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013-07-03 09:53:19 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-07-03 09:53:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013-07-03 09:53:23 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2013-05-17 21:40:19 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF [color=#E56717]========== Chrome ==========[/color] CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR - plugin: Shockwave Flash (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\27.0.1453.116\pdf.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.138.0\npesnlaunch.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll CHR - plugin: Unity Player (Enabled) = C:\Users\AdMiN\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll CHR - Extension: Skype Click to Call = C:\Users\AdMiN\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\ O1 HOSTS File: ([2009-06-10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:[b]64bit:[/b] - BHO: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\ProgramData\Gadu-Gadu 10\_userdata\ggbho.2.dll (GG Network S.A.) O3:[b]64bit:[/b] - HKLM\..\Toolbar: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O4:[b]64bit:[/b] - HKLM..\Run: [VIAAUD] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe File not found O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA) O4 - HKLM..\Run: [mouseElf] C:\PROGRA~2\ERGOME~1\MouseElf.EXE () O4 - HKCU..\Run: [Gadu-Gadu 10] C:\Program Files (x86)\Gadu-Gadu 10\gg.exe (GG Network S.A.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O13[b]64bit:[/b] - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.179.1.61 62.179.1.60 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0DAE7950-74D4-41B4-B823-39DF3D77F917}: DhcpNameServer = 62.179.1.61 62.179.1.60 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{917837A2-A4F9-42FF-BC8C-3DAF76402372}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A798F599-1EFC-4937-804E-037290F7D528}: DhcpNameServer = 95.160.170.92 88.156.222.92 82.139.8.40 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EFD1AEBE-BB0A-466B-910E-FCFCD8A003F5}: DhcpNameServer = 192.168.0.1 O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\G\Shell - "" = AutoRun O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %* O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2013-07-03 09:53:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013-06-30 23:33:21 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Local\cache [2013-06-28 18:46:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Odkurzacz [2013-06-28 18:46:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Odkurzacz [2013-06-28 18:40:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper [2013-06-28 18:40:55 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\WinZipper [2013-06-28 18:40:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZipper [2013-06-28 18:40:53 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Omiga Plus [2013-06-28 18:40:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Omiga Plus [2013-06-17 20:42:47 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Voice Changer Software DIAMOND [2013-06-17 20:41:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AV Vcs 7.0 DIAMOND [2013-06-17 20:13:24 | 000,000,000 | ---D | C] -- C:\AV_LOGS [2013-06-17 18:33:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ AV Vcs 7.0 DIAMOND [2013-06-17 15:23:03 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\Application Data [2013-06-17 15:22:42 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Local\CrashRpt [2013-06-17 15:22:23 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Systweak [2013-06-17 15:22:22 | 000,019,896 | ---- | C] (Systweak Inc., (http://www.systweak.com)) -- C:\Windows\SysNative\roboot64.exe [2013-06-17 15:08:53 | 000,021,504 | ---- | C] (Avnex) -- C:\Windows\SysNative\drivers\vcsvad.sys [2013-06-16 01:25:35 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013-06-16 01:25:35 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013-06-14 18:31:02 | 001,700,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gdiplus.dll [2013-06-14 18:31:02 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc71.dll [2013-06-14 18:30:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Gadu-Gadu 10 [2013-06-14 15:33:37 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Local\GG [2013-06-14 15:33:29 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\GG [2013-06-14 15:33:29 | 000,000,000 | ---D | C] -- C:\ProgramData\GG [2013-06-13 23:30:56 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2013-06-13 17:34:53 | 038,854,527 | ---- | C] (Edmund Mcmillen & Florian Himsl ) -- C:\Users\AdMiN\Desktop\Isaac.exe [2013-06-12 22:11:06 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2013-06-12 22:11:06 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2013-06-12 22:11:06 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2013-06-12 22:11:06 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2013-06-12 22:11:06 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2013-06-12 22:11:05 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll [2013-06-12 22:11:05 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll [2013-06-12 22:11:05 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe [2013-06-12 22:11:05 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe [2013-06-12 22:11:03 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013-06-12 22:11:03 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013-06-12 22:11:03 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013-06-12 22:11:02 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013-06-12 14:00:22 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll [2013-06-12 14:00:22 | 000,492,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll [2013-06-12 14:00:19 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll [2013-06-12 14:00:19 | 001,192,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certutil.exe [2013-06-12 14:00:19 | 000,903,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certutil.exe [2013-06-12 14:00:19 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll [2013-06-12 14:00:19 | 000,052,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certenc.dll [2013-06-12 14:00:19 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certenc.dll [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2013-07-06 12:51:02 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempTN2132.html [2013-07-06 12:51:02 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempOu2132.html [2013-07-06 12:49:31 | 000,001,042 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013-07-06 12:49:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013-07-06 12:49:10 | 3220,627,456 | -HS- | M] () -- C:\hiberfil.sys [2013-07-06 12:48:18 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempGp1400.html [2013-07-06 12:48:18 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempcP1400.html [2013-07-06 12:27:00 | 000,001,046 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013-07-06 12:26:00 | 000,000,930 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013-07-06 12:21:01 | 000,001,058 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3801769967-3764758835-2792484388-1000UA.job [2013-07-06 10:35:58 | 000,010,416 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013-07-06 10:35:58 | 000,010,416 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013-07-06 02:23:57 | 000,971,646 | ---- | M] () -- C:\Users\AdMiN\Desktop\olusiafotosek.png [2013-07-06 01:45:20 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Templm2416.html [2013-07-06 01:45:20 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempJv2416.html [2013-07-05 23:31:00 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempgj2708.html [2013-07-05 23:31:00 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempWb2708.html [2013-07-05 23:26:18 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempVi2212.html [2013-07-05 23:26:18 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempMG2212.html [2013-07-05 20:21:00 | 000,001,006 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3801769967-3764758835-2792484388-1000Core.job [2013-07-05 19:34:58 | 000,007,091 | ---- | M] () -- C:\Users\AdMiN\.recently-used.xbel [2013-07-05 19:16:19 | 000,313,880 | ---- | M] () -- C:\Users\AdMiN\Desktop\photo2.png [2013-07-05 18:58:22 | 000,550,131 | ---- | M] () -- C:\Users\AdMiN\Desktop\photo.png [2013-07-05 17:31:00 | 000,041,990 | ---- | M] () -- C:\Users\AdMiN\Desktop\olazaczepki.png [2013-07-05 15:27:22 | 000,352,027 | ---- | M] () -- C:\Users\AdMiN\Desktop\cenzura!.png [2013-07-05 15:23:22 | 000,327,695 | ---- | M] () -- C:\Users\AdMiN\Desktop\20130704_170251.jpg [2013-07-05 15:23:22 | 000,327,695 | ---- | M] () -- C:\Users\AdMiN\Desktop\20130704_170251 - Kopia.jpg [2013-07-05 02:16:34 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempIx3352.html [2013-07-05 02:16:34 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempJt3352.html [2013-07-04 23:56:03 | 000,231,344 | ---- | M] () -- C:\Users\AdMiN\Desktop\kotek-slodki.jpeg [2013-07-04 23:29:31 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempLg5324.html [2013-07-04 23:29:19 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempVp1496.html [2013-07-04 23:27:50 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempGd6012.html [2013-07-04 23:27:49 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempbY6012.html [2013-07-04 23:27:38 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempMS5132.html [2013-07-04 23:27:36 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempHE5132.html [2013-07-04 23:26:55 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempZk4576.html [2013-07-04 23:26:33 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempoN1976.html [2013-07-04 23:26:32 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempDi1976.html [2013-07-04 23:26:01 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempEF3768.html [2013-07-04 23:25:58 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempCo3768.html [2013-07-04 22:15:49 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempCZ2500.html [2013-07-04 22:15:26 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempIz6092.html [2013-07-04 21:31:43 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempam2664.html [2013-07-04 12:14:03 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempfw2888.html [2013-07-04 12:14:03 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempRd2888.html [2013-07-03 23:33:47 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempml2392.html [2013-07-03 23:33:47 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempAb2392.html [2013-07-03 22:03:23 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Temphl2940.html [2013-07-03 22:03:23 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempIz2940.html [2013-07-02 23:59:26 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TemprS3932.html [2013-07-02 23:59:26 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempgL3932.html [2013-07-02 23:28:20 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempnT2700.html [2013-07-02 23:28:20 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempgT2700.html [2013-07-02 16:44:27 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempUe2416.html [2013-07-02 16:44:27 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempJN2416.html [2013-07-02 11:22:30 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempLS2416.html [2013-07-01 23:18:19 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempmx2616.html [2013-07-01 23:18:19 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempuK2616.html [2013-07-01 21:58:23 | 000,000,245 | ---- | M] () -- C:\Users\AdMiN\Documents\przerobkaola.rtf [2013-07-01 18:06:04 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempsH2616.html [2013-07-01 16:08:06 | 000,414,754 | ---- | M] () -- C:\Users\AdMiN\Desktop\lajtenswag - Kopia.png [2013-07-01 00:25:03 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempIm5320.html [2013-07-01 00:25:03 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempck5320.html [2013-07-01 00:25:03 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempRp5320.html [2013-07-01 00:25:03 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Temppc5320.html [2013-06-30 23:39:45 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempTk6176.html [2013-06-30 23:33:16 | 000,000,228 | ---- | M] () -- C:\Users\AdMiN\Documents\ggnicola.rtf [2013-06-30 23:30:24 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempqN2616.html [2013-06-30 22:45:08 | 000,000,225 | ---- | M] () -- C:\Users\AdMiN\Documents\numery.rtf [2013-06-30 11:15:16 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempGu2416.html [2013-06-30 11:15:16 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempKj2416.html [2013-06-30 02:04:58 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempcw1896.html [2013-06-30 02:04:58 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempYc1896.html [2013-06-30 01:29:03 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempuA2044.html [2013-06-30 01:29:03 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempfr2044.html [2013-06-29 23:40:59 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempNW2624.html [2013-06-29 23:40:59 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempdv2624.html [2013-06-29 20:40:04 | 000,000,194 | ---- | M] () -- C:\Users\AdMiN\Documents\phonegg.rtf [2013-06-29 14:16:24 | 000,367,745 | ---- | M] () -- C:\Users\AdMiN\Documents\gimer.rtf [2013-06-29 11:51:00 | 000,002,382 | ---- | M] () -- C:\Users\AdMiN\Desktop\Google Chrome.lnk [2013-06-28 23:03:36 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\Tempfd3300.html [2013-06-28 23:03:36 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempIP3300.html [2013-06-28 19:41:11 | 000,001,059 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013-06-28 19:22:21 | 000,035,999 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-28 19_22_18.167968.dmp [2013-06-28 18:46:38 | 000,001,069 | ---- | M] () -- C:\Users\AdMiN\Desktop\Odkurzacz.lnk [2013-06-28 18:40:53 | 000,773,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcr100.dll [2013-06-28 18:40:53 | 000,421,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcp100.dll [2013-06-27 21:15:19 | 001,030,952 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013-06-27 21:15:19 | 000,378,944 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013-06-27 21:15:19 | 000,189,936 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum [2013-06-25 21:45:05 | 000,185,638 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-25 21_45_02.485351.dmp [2013-06-19 15:33:31 | 000,038,381 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-19 15_33_21.033203.dmp [2013-06-17 20:42:54 | 000,001,228 | ---- | M] () -- C:\Users\AdMiN\Desktop\Voice Changer 7.0 Diamond.lnk [2013-06-15 02:01:30 | 000,000,000 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-15 02_01_30.484375.dmp [2013-06-14 18:31:02 | 001,700,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\gdiplus.dll [2013-06-14 18:31:02 | 001,060,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc71.dll [2013-06-14 18:30:26 | 000,001,009 | ---- | M] () -- C:\Users\Public\Desktop\Gadu-Gadu 10.lnk [2013-06-14 16:25:05 | 000,000,194 | ---- | M] () -- C:\Users\AdMiN\Documents\gjegje.rtf [2013-06-13 23:30:48 | 422,743,641 | ---- | M] () -- C:\Windows\MEMORY.DMP [2013-06-13 17:35:21 | 038,854,527 | ---- | M] (Edmund Mcmillen & Florian Himsl ) -- C:\Users\AdMiN\Desktop\Isaac.exe [2013-06-12 17:26:14 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013-06-12 17:26:14 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013-06-09 20:17:04 | 000,000,227 | ---- | M] () -- C:\Users\AdMiN\Documents\hasla.rtf [2013-06-08 16:06:58 | 000,526,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013-06-08 14:30:28 | 000,000,228 | ---- | M] () -- C:\Users\AdMiN\Documents\fksdfnosnfipojsojgnwpoigjnowiowjfowbfgiwjhiowg.rtf [2013-06-08 13:40:02 | 000,391,168 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013-06-06 19:13:01 | 000,000,307 | ---- | M] () -- C:\Users\AdMiN\Documents\ddddd.rtf [color=#E56717]========== Files Created - No Company Name ==========[/color] [2013-07-06 12:51:02 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempTN2132.html [2013-07-06 12:51:02 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempOu2132.html [2013-07-06 10:28:44 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempGp1400.html [2013-07-06 10:28:44 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempcP1400.html [2013-07-06 02:23:57 | 000,971,646 | ---- | C] () -- C:\Users\AdMiN\Desktop\olusiafotosek.png [2013-07-06 01:45:20 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Templm2416.html [2013-07-06 01:45:20 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempJv2416.html [2013-07-05 23:29:26 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempgj2708.html [2013-07-05 23:29:26 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempWb2708.html [2013-07-05 19:34:58 | 000,007,091 | ---- | C] () -- C:\Users\AdMiN\.recently-used.xbel [2013-07-05 19:34:46 | 000,327,695 | ---- | C] () -- C:\Users\AdMiN\Desktop\20130704_170251 - Kopia.jpg [2013-07-05 19:16:19 | 000,313,880 | ---- | C] () -- C:\Users\AdMiN\Desktop\photo2.png [2013-07-05 19:14:38 | 000,327,695 | ---- | C] () -- C:\Users\AdMiN\Desktop\20130704_170251.jpg [2013-07-05 18:58:22 | 000,550,131 | ---- | C] () -- C:\Users\AdMiN\Desktop\photo.png [2013-07-05 15:27:22 | 000,352,027 | ---- | C] () -- C:\Users\AdMiN\Desktop\cenzura!.png [2013-07-05 09:41:00 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempVi2212.html [2013-07-05 09:41:00 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempMG2212.html [2013-07-05 00:26:09 | 000,041,990 | ---- | C] () -- C:\Users\AdMiN\Desktop\olazaczepki.png [2013-07-04 23:56:00 | 000,231,344 | ---- | C] () -- C:\Users\AdMiN\Desktop\kotek-slodki.jpeg [2013-07-04 23:29:35 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempIx3352.html [2013-07-04 23:29:35 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempJt3352.html [2013-07-04 23:29:23 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempLg5324.html [2013-07-04 23:27:53 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempVp1496.html [2013-07-04 23:27:41 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempGd6012.html [2013-07-04 23:27:41 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempbY6012.html [2013-07-04 23:27:08 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempMS5132.html [2013-07-04 23:27:01 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempHE5132.html [2013-07-04 23:26:37 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempZk4576.html [2013-07-04 23:26:20 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempoN1976.html [2013-07-04 23:26:20 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempDi1976.html [2013-07-04 22:15:52 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempEF3768.html [2013-07-04 22:15:52 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempCo3768.html [2013-07-04 22:15:30 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempCZ2500.html [2013-07-04 21:31:57 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempIz6092.html [2013-07-04 20:12:07 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempam2664.html [2013-07-04 08:37:27 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempfw2888.html [2013-07-04 08:37:27 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempRd2888.html [2013-07-03 23:02:15 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempml2392.html [2013-07-03 23:02:15 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempAb2392.html [2013-07-03 09:38:35 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Temphl2940.html [2013-07-03 09:38:35 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempIz2940.html [2013-07-02 23:28:31 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TemprS3932.html [2013-07-02 23:28:31 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempgL3932.html [2013-07-02 20:35:15 | 000,414,754 | ---- | C] () -- C:\Users\AdMiN\Desktop\lajtenswag - Kopia.png [2013-07-02 17:46:19 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempnT2700.html [2013-07-02 17:46:19 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempgT2700.html [2013-07-02 11:22:01 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempLS2416.html [2013-07-02 11:21:58 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempUe2416.html [2013-07-02 11:21:58 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempJN2416.html [2013-07-01 21:58:22 | 000,000,245 | ---- | C] () -- C:\Users\AdMiN\Documents\przerobkaola.rtf [2013-07-01 10:38:54 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempsH2616.html [2013-07-01 10:38:53 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempmx2616.html [2013-07-01 10:38:53 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempuK2616.html [2013-06-30 23:39:49 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempIm5320.html [2013-06-30 23:39:49 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempck5320.html [2013-06-30 23:39:49 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempRp5320.html [2013-06-30 23:39:49 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Temppc5320.html [2013-06-30 23:33:16 | 000,000,228 | ---- | C] () -- C:\Users\AdMiN\Documents\ggnicola.rtf [2013-06-30 23:30:35 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempTk6176.html [2013-06-30 22:03:08 | 000,000,225 | ---- | C] () -- C:\Users\AdMiN\Documents\numery.rtf [2013-06-30 13:02:34 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempqN2616.html [2013-06-30 11:15:16 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempGu2416.html [2013-06-30 11:15:16 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempKj2416.html [2013-06-30 02:04:00 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempcw1896.html [2013-06-30 02:04:00 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempYc1896.html [2013-06-29 23:58:17 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempuA2044.html [2013-06-29 23:58:17 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempfr2044.html [2013-06-29 20:40:04 | 000,000,194 | ---- | C] () -- C:\Users\AdMiN\Documents\phonegg.rtf [2013-06-29 14:16:24 | 000,367,745 | ---- | C] () -- C:\Users\AdMiN\Documents\gimer.rtf [2013-06-29 11:51:00 | 000,002,382 | ---- | C] () -- C:\Users\AdMiN\Desktop\Google Chrome.lnk [2013-06-29 11:24:49 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempNW2624.html [2013-06-29 11:24:49 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempdv2624.html [2013-06-28 19:45:20 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\Tempfd3300.html [2013-06-28 19:45:20 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempIP3300.html [2013-06-28 19:22:18 | 000,035,999 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-28 19_22_18.167968.dmp [2013-06-28 18:46:37 | 000,001,069 | ---- | C] () -- C:\Users\AdMiN\Desktop\Odkurzacz.lnk [2013-06-27 21:15:19 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum [2013-06-27 09:51:40 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum [2013-06-27 09:51:40 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum [2013-06-25 21:45:02 | 000,185,638 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-25 21_45_02.485351.dmp [2013-06-19 15:33:21 | 000,038,381 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-19 15_33_21.033203.dmp [2013-06-17 20:42:54 | 000,001,228 | ---- | C] () -- C:\Users\AdMiN\Desktop\Voice Changer 7.0 Diamond.lnk [2013-06-15 02:01:30 | 000,000,000 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-15 02_01_30.484375.dmp [2013-06-14 18:30:26 | 000,001,009 | ---- | C] () -- C:\Users\Public\Desktop\Gadu-Gadu 10.lnk [2013-06-14 18:30:21 | 000,001,021 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gadu-Gadu 10.lnk [2013-06-14 16:25:04 | 000,000,194 | ---- | C] () -- C:\Users\AdMiN\Documents\gjegje.rtf [2013-06-13 23:30:48 | 422,743,641 | ---- | C] () -- C:\Windows\MEMORY.DMP [2013-06-09 20:17:04 | 000,000,227 | ---- | C] () -- C:\Users\AdMiN\Documents\hasla.rtf [2013-06-08 14:30:28 | 000,000,228 | ---- | C] () -- C:\Users\AdMiN\Documents\fksdfnosnfipojsojgnwpoigjnowiowjfowbfgiwjhiowg.rtf [2013-06-06 19:13:01 | 000,000,307 | ---- | C] () -- C:\Users\AdMiN\Documents\ddddd.rtf [2011-12-24 21:11:04 | 000,012,800 | ---- | C] () -- C:\Windows\SysWow64\drivers\gHidUsbF.sys [2011-12-24 21:11:04 | 000,007,808 | ---- | C] () -- C:\Windows\SysWow64\drivers\gflmouhid.sys [2011-12-11 17:20:21 | 001,575,648 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011-11-20 16:34:55 | 000,000,000 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\{10507D18-1E8C-489F-93FD-9B7211C0A28C} [2011-11-01 17:17:23 | 000,000,336 | ---- | C] () -- C:\Windows\game.ini [2011-10-21 18:05:19 | 000,650,752 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll [2011-10-21 18:05:19 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll [2011-10-21 18:05:19 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini [2011-10-21 18:05:18 | 000,074,752 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll [2011-10-21 17:47:37 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll [2011-10-21 17:12:15 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011-09-14 11:47:40 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [color=#E56717]========== ZeroAccess Check ==========[/color] [2009-07-14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013-02-27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013-02-27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009-07-14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-20 04:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009-07-14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report >

**Posty:** 18165 · przez **wojtas** 10 Lip 2013, 16:53

O4 - HKLM..\Run: [mouseElf] C:\PROGRA~2\ERGOME~1\MouseElf.EXE ()

znasz?

Uruchom OTL i w sekcji własne opcje skanowania / skrypt wklej:

:OTL
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0Fzz0DtCtCtCtC0A0EyByBzy0A0A0CtBtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=973264983
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0Fzz0DtCtCtCtC0A0EyByBzy0A0A0CtBtN0D0Tzu0CtByEyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=973264983
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
[2013-06-28 18:40:53 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\Omiga Plus
[2013-06-28 18:40:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Omiga Plus

:Files
C:\Users\AdMiN\AppData\Local\Temp*.html

:Commands
[emptytemp]

Kliknij wykonaj skrypt. I potwierdź reset komputera .

Następnie uruchamiasz OTL z opcją skanuj. Pokazujesz nowy log OTL.txt oraz raport z czyszczenia (zawartość notatnika, która otworzyła się po restarcie).

**Posty:** 5 · przez **Laytenek** 26 Lip 2013, 23:44

LOG, który się otworzył po restarcie komputera:

Kod: Zaznacz wszystko: All processes killed ========== OTL ========== 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ deleted successfully. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\wp folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\sysicons folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\icons folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\app\config\4 folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\app\config\3 folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\app\config\1 folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\app\config folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus\app folder moved successfully. C:\Users\AdMiN\AppData\Roaming\Omiga Plus folder moved successfully. C:\Program Files (x86)\Omiga Plus folder moved successfully. ========== FILES ========== C:\Users\AdMiN\AppData\Local\TempBO4100.html moved successfully. C:\Users\AdMiN\AppData\Local\TempBz4100.html moved successfully. C:\Users\AdMiN\AppData\Local\Tempcz8032.html moved successfully. C:\Users\AdMiN\AppData\Local\TempEk1896.html moved successfully. C:\Users\AdMiN\AppData\Local\TempfV2584.html moved successfully. C:\Users\AdMiN\AppData\Local\TemphE3536.html moved successfully. C:\Users\AdMiN\AppData\Local\Tempiq4100.html moved successfully. C:\Users\AdMiN\AppData\Local\TempIY1896.html moved successfully. C:\Users\AdMiN\AppData\Local\TempJm8032.html moved successfully. C:\Users\AdMiN\AppData\Local\TempKD3536.html moved successfully. C:\Users\AdMiN\AppData\Local\TempNK8032.html moved successfully. C:\Users\AdMiN\AppData\Local\TempNZ8032.html moved successfully. C:\Users\AdMiN\AppData\Local\TempXW1748.html moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: AdMiN ->Temp folder emptied: 4133380 bytes ->Temporary Internet Files folder emptied: 15936563 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 398346287 bytes ->Google Chrome cache emptied: 80808336 bytes ->Opera cache emptied: 0 bytes ->Flash cache emptied: 2140 bytes User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 645129 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 10904461 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 487,00 mb OTL by OldTimer - Version 3.2.69.0 log created on 07262013_232509 Files\Folders moved on Reboot... C:\Users\AdMiN\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. C:\Users\AdMiN\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully. File\Folder C:\Windows\temp\TMP0000005ED828AC835EBF2118 not found! PendingFileRenameOperations files... Registry entries deleted on Reboot...

Kod: Zaznacz wszystko: OTL logfile created on: 2013-07-26 23:32:16 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\AdMiN\Downloads 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16635) Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd 4,00 Gb Total Physical Memory | 2,41 Gb Available Physical Memory | 60,28% Memory free 8,00 Gb Paging File | 6,26 Gb Available in Paging File | 78,24% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 195,21 Gb Total Space | 119,66 Gb Free Space | 61,30% Space Free | Partition Type: NTFS Drive D: | 244,14 Gb Total Space | 243,72 Gb Free Space | 99,83% Space Free | Partition Type: NTFS Drive E: | 244,14 Gb Total Space | 243,74 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Drive F: | 247,92 Gb Total Space | 247,51 Gb Free Space | 99,84% Space Free | Partition Type: NTFS Computer Name: ADMIN-KOMPUTER | User Name: AdMiN | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Processes (SafeList) ==========[/color] PRC - [2013-07-25 09:55:06 | 000,376,896 | ---- | M] (Wsys Co., Ltd.) -- C:\ProgramData\eSafe\eGdpSvc.exe PRC - [2013-07-03 09:53:23 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2013-06-29 14:24:14 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\AdMiN\Downloads\OTL.com PRC - [2013-06-28 18:40:54 | 000,424,104 | ---- | M] (Taiwan Shui Mu Chih Ching Technology Limited.) -- C:\Program Files (x86)\WinZipper\winzipersvc.exe PRC - [2013-06-12 17:26:14 | 001,855,880 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe PRC - [2013-05-10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2013-05-09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe PRC - [2013-05-09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe PRC - [2010-03-12 00:14:00 | 011,792,992 | ---- | M] (GG Network S.A.) -- C:\Program Files (x86)\Gadu-Gadu 10\gg.exe [color=#E56717]========== Modules (No Company Name) ==========[/color] MOD - [2013-07-03 09:53:22 | 003,285,912 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2013-06-12 17:26:13 | 016,033,160 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll MOD - [2010-03-12 00:16:12 | 000,217,696 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\gglog.dll MOD - [2010-03-12 00:16:10 | 000,123,488 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggipcradioproxy.dll MOD - [2010-03-12 00:16:08 | 000,017,504 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggipc.dll MOD - [2010-03-12 00:16:04 | 000,027,744 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggcrypto.dll MOD - [2010-03-12 00:16:02 | 000,356,960 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\ggcommon.dll MOD - [2010-03-11 11:05:22 | 008,806,400 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtGui4.dll MOD - [2010-02-26 07:02:52 | 002,400,256 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtCore4.dll MOD - [2010-02-26 07:02:52 | 001,511,424 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtScript4.dll MOD - [2010-02-26 07:02:52 | 001,036,288 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtNetwork4.dll MOD - [2010-02-26 07:02:52 | 000,389,120 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtXml4.dll MOD - [2010-02-26 07:02:52 | 000,323,584 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtSvg4.dll MOD - [2010-02-26 07:02:50 | 013,545,472 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtWebKit4.dll MOD - [2010-02-26 07:02:46 | 003,334,144 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\QtXmlPatterns4.dll MOD - [2010-02-26 07:02:10 | 000,311,296 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qtiff4.dll MOD - [2010-02-26 07:02:10 | 000,274,432 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qmng4.dll MOD - [2010-02-26 07:02:10 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qjpeg4.dll MOD - [2010-02-26 07:02:10 | 000,027,648 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qgif4.dll MOD - [2010-02-26 07:02:10 | 000,018,944 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\imageformats\qsvg4.dll MOD - [2010-02-17 17:33:22 | 000,059,904 | ---- | M] () -- C:\Program Files (x86)\Gadu-Gadu 10\zlib1.dll [color=#E56717]========== Services (SafeList) ==========[/color] SRV:[b]64bit:[/b] - [2013-05-27 07:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:[b]64bit:[/b] - [2013-05-09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV:[b]64bit:[/b] - [2011-09-08 19:29:56 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:[b]64bit:[/b] - [2009-07-14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2013-07-25 09:55:06 | 000,376,896 | ---- | M] (Wsys Co., Ltd.) [Auto | Running] -- C:\ProgramData\eSafe\eGdpSvc.exe -- (WsysSvc) SRV - [2013-07-03 09:53:22 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013-06-28 18:40:54 | 000,424,104 | ---- | M] (Taiwan Shui Mu Chih Ching Technology Limited.) [Auto | Running] -- C:\Program Files (x86)\WinZipper\winzipersvc.exe -- (winzipersvc) SRV - [2013-06-12 17:26:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013-05-10 09:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2013-02-08 18:45:52 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Paused] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService) SRV - [2012-02-15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2009-06-10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) [color=#E56717]========== Driver Services (SafeList) ==========[/color] DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 001,030,952 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx) DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 000,378,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP) DRV:[b]64bit:[/b] - [2013-06-27 21:15:19 | 000,189,936 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,072,016 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt) DRV:[b]64bit:[/b] - [2013-05-09 10:59:07 | 000,064,288 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi) DRV:[b]64bit:[/b] - [2013-05-09 10:59:06 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt) DRV:[b]64bit:[/b] - [2013-05-09 10:59:06 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk) DRV:[b]64bit:[/b] - [2012-07-03 18:21:52 | 000,019,600 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswKbd.sys -- (aswKbd) DRV:[b]64bit:[/b] - [2012-03-01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:[b]64bit:[/b] - [2011-09-08 20:27:22 | 010,203,648 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:[b]64bit:[/b] - [2011-09-08 18:52:40 | 000,310,784 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:[b]64bit:[/b] - [2010-11-20 05:33:36 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:[b]64bit:[/b] - [2010-11-20 05:32:48 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:[b]64bit:[/b] - [2010-11-20 05:32:48 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:[b]64bit:[/b] - [2010-11-20 03:07:06 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:[b]64bit:[/b] - [2010-11-20 03:03:44 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:[b]64bit:[/b] - [2010-03-04 15:43:00 | 000,346,144 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:[b]64bit:[/b] - [2010-01-05 19:23:18 | 001,847,296 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athurx.sys -- (athur) DRV:[b]64bit:[/b] - [2009-11-25 15:06:02 | 001,276,928 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService) DRV:[b]64bit:[/b] - [2009-07-14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:[b]64bit:[/b] - [2009-07-14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:[b]64bit:[/b] - [2009-07-14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:[b]64bit:[/b] - [2009-06-10 22:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364) DRV:[b]64bit:[/b] - [2009-06-10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:[b]64bit:[/b] - [2009-06-10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:[b]64bit:[/b] - [2009-06-10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:[b]64bit:[/b] - [2009-06-10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:[b]64bit:[/b] - [2009-03-18 18:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi) DRV:[b]64bit:[/b] - [2008-12-26 12:56:04 | 000,021,504 | ---- | M] (Avnex) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vcsvad.sys -- (VCSVADHWSer) DRV - [2009-07-14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) [color=#E56717]========== Standard Registry (SafeList) ==========[/color] [color=#E56717]========== Internet Explorer ==========[/color] IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{7784277D-53CB-5A00-1444-5027E0238AFB}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.pl/http://www.google.pl/ [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {A5FB86C7-94DC-486B-A602-9E694914256B} IE - HKCU\..\SearchScopes,DefaultScope = {7784277D-53CB-5A00-1444-5027E0238AFB} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKCU\..\SearchScopes\{7784277D-53CB-5A00-1444-5027E0238AFB}: "URL" = http://www.google.com/search?hl=pl&q={searchTerms}&rlz=1I7ADSA_plPL456 IE - HKCU\..\SearchScopes\{A5FB86C7-94DC-486B-A602-9E694914256B}: "URL" = http://www.google.com/search?hl=pl&q={searchTerms}&rlz=1I7ADSA_plPL456 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [color=#E56717]========== FireFox ==========[/color] FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:8.0.1489 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0 FF - user.js - File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.138.0: C:\Program Files (x86)\Battlelog Web Plugins\1.138.0\npesnlaunch.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\AdMiN\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\AdMiN\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\AdMiN\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-05-17 21:40:19 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012-11-01 23:25:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AdMiN\AppData\Roaming\mozilla\Extensions [2013-07-03 09:53:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013-07-03 09:53:19 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-07-03 09:53:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013-07-03 09:53:23 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2013-05-17 21:40:19 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF [color=#E56717]========== Chrome ==========[/color] CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter} CHR - plugin: Shockwave Flash (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\28.0.1500.72\PepperFlash\pepflashplayer.dll CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\AdMiN\AppData\Local\Google\Chrome\Application\28.0.1500.72\pdf.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.138.0\npesnlaunch.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll CHR - plugin: Unity Player (Enabled) = C:\Users\AdMiN\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll CHR - Extension: Skype Click to Call = C:\Users\AdMiN\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\ O1 HOSTS File: ([2009-06-10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:[b]64bit:[/b] - BHO: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\ProgramData\Gadu-Gadu 10\_userdata\ggbho.2.dll (GG Network S.A.) O3:[b]64bit:[/b] - HKLM\..\Toolbar: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O4:[b]64bit:[/b] - HKLM..\Run: [VIAAUD] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe File not found O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA) O4 - HKLM..\Run: [mouseElf] C:\PROGRA~2\ERGOME~1\MouseElf.EXE () O4 - HKCU..\Run: [Gadu-Gadu 10] C:\Program Files (x86)\Gadu-Gadu 10\gg.exe (GG Network S.A.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O13[b]64bit:[/b] - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.179.1.61 62.179.1.60 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0DAE7950-74D4-41B4-B823-39DF3D77F917}: DhcpNameServer = 62.179.1.61 62.179.1.60 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{917837A2-A4F9-42FF-BC8C-3DAF76402372}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A798F599-1EFC-4937-804E-037290F7D528}: DhcpNameServer = 95.160.170.92 88.156.222.92 82.139.8.40 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EFD1AEBE-BB0A-466B-910E-FCFCD8A003F5}: DhcpNameServer = 192.168.0.1 O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\G\Shell - "" = AutoRun O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %* O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %* O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) [color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color] [2013-07-26 23:25:09 | 000,000,000 | ---D | C] -- C:\_OTL [2013-07-25 09:55:06 | 000,000,000 | ---D | C] -- C:\ProgramData\eSafe [2013-07-25 09:55:02 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\eDownload [2013-07-22 21:43:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Armia Podkarpacki OTS [2013-07-22 21:43:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Armia Podkarpacki OTS [2013-07-10 01:02:13 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013-07-10 01:02:13 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013-07-10 01:02:12 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2013-07-10 01:02:12 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2013-07-10 01:02:12 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2013-07-10 01:02:11 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll [2013-07-10 01:02:11 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll [2013-07-10 01:02:11 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe [2013-07-10 01:02:11 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe [2013-07-10 01:02:11 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2013-07-10 01:02:11 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2013-07-10 01:02:10 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013-07-10 01:02:09 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013-07-10 01:02:09 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013-07-10 01:02:09 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013-07-09 20:25:47 | 000,624,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\qedit.dll [2013-07-09 20:25:46 | 000,509,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\qedit.dll [2013-07-09 20:25:42 | 001,887,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMVDECOD.DLL [2013-07-09 20:25:42 | 001,620,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMVDECOD.DLL [2013-07-09 20:25:08 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll [2013-07-06 13:06:47 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\.minecraftzyczu [2013-07-03 09:53:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013-06-30 23:33:21 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Local\cache [2013-06-28 18:46:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Odkurzacz [2013-06-28 18:46:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Odkurzacz [2013-06-28 18:40:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper [2013-06-28 18:40:55 | 000,000,000 | ---D | C] -- C:\Users\AdMiN\AppData\Roaming\WinZipper [2013-06-28 18:40:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZipper [color=#E56717]========== Files - Modified Within 30 Days ==========[/color] [2013-07-26 23:33:00 | 000,001,046 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013-07-26 23:32:00 | 000,001,058 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3801769967-3764758835-2792484388-1000UA.job [2013-07-26 23:29:38 | 000,002,432 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempaG2888.html [2013-07-26 23:29:38 | 000,002,089 | ---- | M] () -- C:\Users\AdMiN\AppData\Local\TempRk2888.html [2013-07-26 23:28:33 | 000,001,042 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013-07-26 23:28:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013-07-26 23:27:50 | 3220,627,456 | -HS- | M] () -- C:\hiberfil.sys [2013-07-26 23:26:00 | 000,000,930 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013-07-26 15:14:22 | 000,386,473 | ---- | M] () -- C:\Users\AdMiN\Desktop\1003717_548478928546657_1403319546_n.png [2013-07-26 11:41:18 | 000,010,416 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013-07-26 11:41:17 | 000,010,416 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013-07-25 23:34:49 | 000,000,194 | ---- | M] () -- C:\Users\AdMiN\Documents\olagg.rtf [2013-07-25 23:24:35 | 000,034,767 | ---- | M] () -- C:\Users\AdMiN\Desktop\1011940_605212792846684_929589767_n.jpg [2013-07-25 23:24:27 | 000,037,437 | ---- | M] () -- C:\Users\AdMiN\Desktop\1001041_603828822985081_435118981_n.jpg [2013-07-25 23:24:03 | 000,042,649 | ---- | M] () -- C:\Users\AdMiN\Desktop\1001128_605187926182504_923411060_n.jpg [2013-07-25 11:32:00 | 000,001,006 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3801769967-3764758835-2792484388-1000Core.job [2013-07-25 11:20:03 | 002,257,478 | ---- | M] () -- C:\Users\AdMiN\Desktop\tipja.png [2013-07-25 10:00:45 | 000,001,235 | ---- | M] () -- C:\Users\Public\Desktop\APO 7.6.lnk [2013-07-25 09:57:02 | 002,781,395 | ---- | M] () -- C:\Users\AdMiN\Desktop\expimy.png [2013-07-24 15:14:03 | 000,000,265 | ---- | M] () -- C:\Users\AdMiN\Documents\lolpassy.rtf [2013-07-22 13:44:41 | 000,026,878 | ---- | M] () -- C:\Users\AdMiN\Desktop\1017210_599125743455389_1059917517_n.jpg [2013-07-22 13:37:28 | 000,027,644 | ---- | M] () -- C:\Users\AdMiN\Desktop\1000468_607115232656440_674362026_n.jpg [2013-07-20 18:48:30 | 000,049,268 | ---- | M] () -- C:\Users\AdMiN\Desktop\adam-sandler.jpg [2013-07-18 23:44:26 | 000,000,194 | ---- | M] () -- C:\Users\AdMiN\Documents\martyna.rtf [2013-07-18 23:12:02 | 000,009,010 | ---- | M] () -- C:\Users\AdMiN\.recently-used.xbel [2013-07-15 19:49:33 | 000,102,175 | ---- | M] () -- C:\Users\AdMiN\Desktop\PIESEGXD.jpg [2013-07-13 21:32:57 | 000,002,382 | ---- | M] () -- C:\Users\AdMiN\Desktop\Google Chrome.lnk [2013-07-10 09:38:01 | 000,274,840 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013-07-07 23:10:25 | 000,011,643 | ---- | M] () -- C:\Users\AdMiN\Documents\mkospina.rtf [2013-07-07 18:15:54 | 000,035,999 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-07-07 18_15_49.399414.dmp [2013-07-06 13:06:42 | 003,430,458 | ---- | M] () -- C:\Users\AdMiN\Desktop\mc.jar [2013-07-01 21:58:23 | 000,000,245 | ---- | M] () -- C:\Users\AdMiN\Documents\przerobkaola.rtf [2013-06-30 23:33:16 | 000,000,228 | ---- | M] () -- C:\Users\AdMiN\Documents\ggnicola.rtf [2013-06-30 22:45:08 | 000,000,225 | ---- | M] () -- C:\Users\AdMiN\Documents\numery.rtf [2013-06-29 20:40:04 | 000,000,194 | ---- | M] () -- C:\Users\AdMiN\Documents\phonegg.rtf [2013-06-29 14:16:24 | 000,367,745 | ---- | M] () -- C:\Users\AdMiN\Documents\gimer.rtf [2013-06-28 19:41:11 | 000,001,059 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013-06-28 19:22:21 | 000,035,999 | ---- | M] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-28 19_22_18.167968.dmp [2013-06-28 18:46:38 | 000,001,069 | ---- | M] () -- C:\Users\AdMiN\Desktop\Odkurzacz.lnk [2013-06-28 18:40:53 | 000,773,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcr100.dll [2013-06-28 18:40:53 | 000,421,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msvcp100.dll [2013-06-27 21:15:19 | 001,030,952 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys [2013-06-27 21:15:19 | 000,378,944 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys [2013-06-27 21:15:19 | 000,189,936 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum [2013-06-27 21:15:19 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum [color=#E56717]========== Files Created - No Company Name ==========[/color] [2013-07-26 23:29:38 | 000,002,432 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempaG2888.html [2013-07-26 23:29:38 | 000,002,089 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\TempRk2888.html [2013-07-26 15:14:21 | 000,386,473 | ---- | C] () -- C:\Users\AdMiN\Desktop\1003717_548478928546657_1403319546_n.png [2013-07-25 23:34:49 | 000,000,194 | ---- | C] () -- C:\Users\AdMiN\Documents\olagg.rtf [2013-07-25 23:24:34 | 000,034,767 | ---- | C] () -- C:\Users\AdMiN\Desktop\1011940_605212792846684_929589767_n.jpg [2013-07-25 23:24:27 | 000,037,437 | ---- | C] () -- C:\Users\AdMiN\Desktop\1001041_603828822985081_435118981_n.jpg [2013-07-25 23:24:00 | 000,042,649 | ---- | C] () -- C:\Users\AdMiN\Desktop\1001128_605187926182504_923411060_n.jpg [2013-07-25 11:19:05 | 002,257,478 | ---- | C] () -- C:\Users\AdMiN\Desktop\tipja.png [2013-07-25 09:57:01 | 002,781,395 | ---- | C] () -- C:\Users\AdMiN\Desktop\expimy.png [2013-07-24 15:14:03 | 000,000,265 | ---- | C] () -- C:\Users\AdMiN\Documents\lolpassy.rtf [2013-07-22 21:43:24 | 000,001,235 | ---- | C] () -- C:\Users\Public\Desktop\APO 7.6.lnk [2013-07-22 13:44:40 | 000,026,878 | ---- | C] () -- C:\Users\AdMiN\Desktop\1017210_599125743455389_1059917517_n.jpg [2013-07-22 13:37:24 | 000,027,644 | ---- | C] () -- C:\Users\AdMiN\Desktop\1000468_607115232656440_674362026_n.jpg [2013-07-20 18:48:29 | 000,049,268 | ---- | C] () -- C:\Users\AdMiN\Desktop\adam-sandler.jpg [2013-07-18 23:44:25 | 000,000,194 | ---- | C] () -- C:\Users\AdMiN\Documents\martyna.rtf [2013-07-18 23:12:02 | 000,009,010 | ---- | C] () -- C:\Users\AdMiN\.recently-used.xbel [2013-07-15 19:48:44 | 000,102,175 | ---- | C] () -- C:\Users\AdMiN\Desktop\PIESEGXD.jpg [2013-07-07 23:10:25 | 000,011,643 | ---- | C] () -- C:\Users\AdMiN\Documents\mkospina.rtf [2013-07-07 18:15:49 | 000,035,999 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-07-07 18_15_49.399414.dmp [2013-07-06 13:06:40 | 003,430,458 | ---- | C] () -- C:\Users\AdMiN\Desktop\mc.jar [2013-07-01 21:58:22 | 000,000,245 | ---- | C] () -- C:\Users\AdMiN\Documents\przerobkaola.rtf [2013-06-30 23:33:16 | 000,000,228 | ---- | C] () -- C:\Users\AdMiN\Documents\ggnicola.rtf [2013-06-30 22:03:08 | 000,000,225 | ---- | C] () -- C:\Users\AdMiN\Documents\numery.rtf [2013-06-29 20:40:04 | 000,000,194 | ---- | C] () -- C:\Users\AdMiN\Documents\phonegg.rtf [2013-06-29 14:16:24 | 000,367,745 | ---- | C] () -- C:\Users\AdMiN\Documents\gimer.rtf [2013-06-29 11:51:00 | 000,002,382 | ---- | C] () -- C:\Users\AdMiN\Desktop\Google Chrome.lnk [2013-06-28 19:22:18 | 000,035,999 | ---- | C] () -- C:\Users\AdMiN\Documents\ts3_clientui-win32-1361977727-2013-06-28 19_22_18.167968.dmp [2013-06-28 18:46:37 | 000,001,069 | ---- | C] () -- C:\Users\AdMiN\Desktop\Odkurzacz.lnk [2013-06-27 21:15:19 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum [2013-06-27 09:51:40 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum [2013-06-27 09:51:40 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum [2011-12-24 21:11:04 | 000,012,800 | ---- | C] () -- C:\Windows\SysWow64\drivers\gHidUsbF.sys [2011-12-24 21:11:04 | 000,007,808 | ---- | C] () -- C:\Windows\SysWow64\drivers\gflmouhid.sys [2011-12-11 17:20:21 | 001,575,648 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011-11-20 16:34:55 | 000,000,000 | ---- | C] () -- C:\Users\AdMiN\AppData\Local\{10507D18-1E8C-489F-93FD-9B7211C0A28C} [2011-11-01 17:17:23 | 000,000,336 | ---- | C] () -- C:\Windows\game.ini [2011-10-21 18:05:19 | 000,650,752 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll [2011-10-21 18:05:19 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll [2011-10-21 18:05:19 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini [2011-10-21 18:05:18 | 000,074,752 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll [2011-10-21 17:47:37 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll [2011-10-21 17:12:15 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011-09-14 11:47:40 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [color=#E56717]========== ZeroAccess Check ==========[/color] [2009-07-14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013-02-27 07:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013-02-27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009-07-14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-20 04:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009-07-14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report >

Proszę o szybkie ogarnięcie tego co tutaj wstawiłem, czy już jest bezpiecznie czy jeszcze trzeba wykonać jakieś czynności? Pozdrawiam

**Posty:** 5 · przez **Laytenek** 04 Sie 2013, 10:37

Czy mógłby ktoś ogarnąć temat?

**Posty:** 4765 · przez **ordynat** 04 Sie 2013, 11:15

Temat prowadzi @wojtas, ale chyba przeoczył Twoją odpowiedź, wiec wyjątkowo ja odpowiem.
Uruchom OTL i w oknie Własne opcje skanowania/Skrypt wklej to:

:OTL
[2013-07-25 09:55:06 | 000,000,000 | ---D | C] -- C:\ProgramData\eSafe
SRV - [2013-07-25 09:55:06 | 000,376,896 | ---- | M] (Wsys Co., Ltd.) [Auto | Running] -- C:\ProgramData\eSafe\eGdpSvc.exe -- (WsysSvc)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O4:64bit: - HKLM..\Run: [VIAAUD] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

:Files
C:\Users\AdMiN\AppData\Local\Temp*.html

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

:Commands
[emptytemp]

Kliknij w Wykonaj Skrypt.

Jeśli problem "qvo6" już nie istnieje, to będziemy kończyć:
W Adw-Cleaner kliknij na przycisk Odinstaluj
W OTL kliknij na przycisk Sprzątanie - to go usunie razem z jego Kwarantanną.

Zainstaluj nowszą, bezpieczniejszą wersję Javy:
>http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html (wybierz: Windows x86 Offline)
Być może trzeba też zainstalować nowszą wersję Javy 64 bit >http://java.com/pl/download/faq/java_win64bit.xml

Kto jest na forum