GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-13 14:58:33 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD1600BEVS-60RST0 rev.04.01G04 Running: 4m1x7rpr.exe; Driver: C:\Users\hyllk\AppData\Local\Temp\ugloipod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8C0CF708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8C92D7C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8C0D011C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8C0DAF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8C0DAF74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8C0DB0F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8C0DAE96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8C92DBBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8C0DAEDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8C0D0310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8C0DB0B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8C0D0A9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8C0CF756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8C92D8AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8C0CF3BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8C0CF7A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8C0D4456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8C0D1464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8C0DAF52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8C0DAF96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8C0DB11A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8C0DAEBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8C0DB03A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8C0DAF06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8C0DB0D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8C92DA2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8C0D1330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x8C0D0EDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8C0CF7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8C0CF840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8C0D091C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8C0CF448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8C0CF5F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8C0CF59E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8C0D0BFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8C0D0D5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8C0CF668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8C92DAF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8C0D0794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8C0CF88E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8C92D962] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8C0D0498] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8C945966] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 81CE07D0 4 Bytes [08, F7, 0C, 8C] {OR BH, DH; OR AL, 0x8c} .text ntkrnlpa.exe!KeSetEvent + 131 81CE07F4 4 Bytes [C8, D7, 92, 8C] {ENTER 0x92d7, 0x8c} .text ntkrnlpa.exe!KeSetEvent + 191 81CE0854 4 Bytes [1C, 01, 0D, 8C] .text ntkrnlpa.exe!KeSetEvent + 1D1 81CE0894 8 Bytes [28, AF, 0D, 8C, 74, AF, 0D, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 81CE08A0 4 Bytes [F6, B0, 0D, 8C] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81E0B633 5 Bytes JMP 8C942806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 81E64593 5 Bytes JMP 8C944320 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 81E6DEB8 4 Bytes CALL 8C0D1B07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 81E71B2C 4 Bytes CALL 8C0D1B1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 81EC5E8C 7 Bytes JMP 8C94596A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x89A00340, 0x3ED9C7, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[200] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\taskeng.exe[284] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[332] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\csrss.exe[624] KERNEL32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\wininit.exe[676] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text ... .text C:\Windows\system32\wbem\unsecapp.exe[1212] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001501F8 .text C:\Windows\system32\wbem\unsecapp.exe[1212] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001503FC .text C:\Windows\system32\wbem\unsecapp.exe[1212] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001703FC .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00170600 .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00171014 .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00170804 .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00170A08 .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00170C0C .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00170E10 .text C:\Windows\system32\wbem\unsecapp.exe[1212] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\wbem\unsecapp.exe[1212] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00180600 .text C:\Windows\system32\wbem\unsecapp.exe[1212] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00180804 .text C:\Windows\system32\wbem\unsecapp.exe[1212] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00180A08 .text C:\Windows\system32\wbem\unsecapp.exe[1212] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001801F8 .text C:\Windows\system32\wbem\unsecapp.exe[1212] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001803FC .text C:\Windows\system32\AUDIODG.EXE[1316] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\rundll32.exe[1508] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001501F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001503FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001903FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00190600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00191014 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00190804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00190A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00190C0C .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00190E10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1528] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001901F8 .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1812] kernel32.dll!SetUnhandledExceptionFilter 76BAA8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1812] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001501F8 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001503FC .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001903FC .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00190600 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00191014 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00190804 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00190A08 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00190C0C .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00190E10 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001901F8 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 001A0600 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 001A0804 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 001A0A08 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001A01F8 .text C:\Users\hyllk\Downloads\4m1x7rpr.exe[1848] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001A03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00060600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00061014 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00060804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00060A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00060C0C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00060E10 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1908] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000703FC .text C:\Windows\system32\Dwm.exe[1948] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[2008] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[2316] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2316] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2316] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001703FC .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00170600 .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00171014 .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00170804 .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00170A08 .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00170C0C .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00170E10 .text C:\Windows\system32\svchost.exe[2316] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001701F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00090600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00090804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00090A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000901F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000903FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000A03FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 000A0600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 000A1014 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 000A0804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 000A0A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 000A0C0C .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 000A0E10 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2516] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[2600] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2600] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2600] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001703FC .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00170600 .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00171014 .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00170804 .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00170A08 .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00170C0C .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00170E10 .text C:\Windows\system32\svchost.exe[2600] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\svchost.exe[2600] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 001F0600 .text C:\Windows\system32\svchost.exe[2600] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 001F0804 .text C:\Windows\system32\svchost.exe[2600] USER32.dll!UnhookWindowsHookEx 761E98DB 3 Bytes JMP 001F0A08 .text C:\Windows\system32\svchost.exe[2600] USER32.dll!UnhookWindowsHookEx + 4 761E98DF 1 Byte [8A] .text C:\Windows\system32\svchost.exe[2600] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001F01F8 .text C:\Windows\system32\svchost.exe[2600] USER32.dll!UnhookWinEvent 761EC06F 3 Bytes JMP 001F03FC .text C:\Windows\system32\svchost.exe[2600] USER32.dll!UnhookWinEvent + 4 761EC073 1 Byte [8A] .text C:\Windows\system32\svchost.exe[2656] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2656] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2656] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[2656] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000B01F8 .text C:\Windows\System32\svchost.exe[2724] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[2724] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[2724] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[2724] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[2772] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\SearchIndexer.exe[2772] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\system32\SearchIndexer.exe[2772] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[2772] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[2772] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[2772] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[2772] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[2772] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[2772] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000803FC .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001401F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001403FC .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001603FC .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00160600 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00161014 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00160804 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00160A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00160C0C .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00160E10 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001601F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00170600 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00170804 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[2868] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001703FC .text C:\Windows\system32\svchost.exe[3056] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000901F8 .text C:\Windows\system32\svchost.exe[3056] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000903FC .text C:\Windows\system32\svchost.exe[3056] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000B01F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001501F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001503FC .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001703FC .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00170600 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00171014 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00170804 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00170A08 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00170C0C .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00170E10 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001701F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00280600 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00280804 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00280A08 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 002801F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[3204] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 002803FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001401F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001403FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00160600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00160804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00160A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00171014 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00170C0C .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00170E10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3240] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001701F8 .text C:\Windows\System32\rundll32.exe[3264] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000601F8 .text C:\Windows\System32\rundll32.exe[3264] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000603FC .text C:\Windows\System32\rundll32.exe[3264] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3264] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00170600 .text C:\Windows\System32\rundll32.exe[3264] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00170804 .text C:\Windows\System32\rundll32.exe[3264] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00170A08 .text C:\Windows\System32\rundll32.exe[3264] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001701F8 .text C:\Windows\System32\rundll32.exe[3264] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001703FC .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001803FC .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00180600 .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00181014 .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00180804 .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00180A08 .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00180C0C .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 3 Bytes JMP 00180E10 .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!ChangeServiceConfig2W + 4 769771E5 1 Byte [89] .text C:\Windows\System32\rundll32.exe[3264] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001801F8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3292] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000803FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00080600 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00081014 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00080804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00080C0C .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00080E10 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00090600 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00090804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00090A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000901F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3344] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000903FC .text C:\Windows\ehome\ehtray.exe[3384] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\ehome\ehtray.exe[3384] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\ehome\ehtray.exe[3384] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000703FC .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00070600 .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00071014 .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00070804 .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00070A08 .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00070C0C .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00070E10 .text C:\Windows\ehome\ehtray.exe[3384] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000701F8 .text C:\Windows\ehome\ehtray.exe[3384] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00080600 .text C:\Windows\ehome\ehtray.exe[3384] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00080804 .text C:\Windows\ehome\ehtray.exe[3384] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00080A08 .text C:\Windows\ehome\ehtray.exe[3384] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000801F8 .text C:\Windows\ehome\ehtray.exe[3384] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000803FC .text C:\Windows\System32\rundll32.exe[3412] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000601F8 .text C:\Windows\System32\rundll32.exe[3412] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000603FC .text C:\Windows\System32\rundll32.exe[3412] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3412] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00070600 .text C:\Windows\System32\rundll32.exe[3412] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00070804 .text C:\Windows\System32\rundll32.exe[3412] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00070A08 .text C:\Windows\System32\rundll32.exe[3412] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[3412] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001903FC .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00190600 .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00191014 .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00190804 .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00190A08 .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00190C0C .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00190E10 .text C:\Windows\System32\rundll32.exe[3412] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001901F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001501F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001503FC .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001803FC .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00180600 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00181014 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00180804 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00180A08 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00180C0C .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 3 Bytes JMP 00180E10 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!ChangeServiceConfig2W + 4 769771E5 1 Byte [89] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001801F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00190600 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00190804 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00190A08 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001901F8 .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3420] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001903FC .text C:\Windows\ehome\ehmsas.exe[3532] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000801F8 .text C:\Windows\ehome\ehmsas.exe[3532] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000803FC .text C:\Windows\ehome\ehmsas.exe[3532] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000A03FC .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 000A0600 .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 000A1014 .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 000A0804 .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 000A0A08 .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 000A0C0C .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 000A0E10 .text C:\Windows\ehome\ehmsas.exe[3532] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000A01F8 .text C:\Windows\ehome\ehmsas.exe[3532] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 000B0600 .text C:\Windows\ehome\ehmsas.exe[3532] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 000B0804 .text C:\Windows\ehome\ehmsas.exe[3532] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 000B0A08 .text C:\Windows\ehome\ehmsas.exe[3532] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000B01F8 .text C:\Windows\ehome\ehmsas.exe[3532] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000B03FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000703FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00071014 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00070C0C .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00070E10 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00080600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00080804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3724] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000803FC .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 001501F8 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 001503FC .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00170600 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00170804 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 001703FC .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 001803FC .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00180600 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00181014 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00180804 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00180A08 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00180C0C .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 3 Bytes JMP 00180E10 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!ChangeServiceConfig2W + 4 769771E5 1 Byte [89] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3796] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ntdll.dll!LdrUnloadDll 77ACB680 5 Bytes JMP 000503FC .text C:\Windows\system32\wbem\wmiprvse.exe[4088] kernel32.dll!GetBinaryTypeW + 70 76BD2467 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CreateServiceW 76939EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!DeleteService 7693A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!SetServiceObjectSecurity 76976CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!ChangeServiceConfigA 76976DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!ChangeServiceConfigW 76976F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!ChangeServiceConfig2A 76977099 5 Bytes JMP 00070C0C .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!ChangeServiceConfig2W 769771E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CreateServiceA 769772A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] USER32.dll!SetWindowsHookExA 761E6322 5 Bytes JMP 00080600 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] USER32.dll!SetWindowsHookExW 761E87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] USER32.dll!UnhookWindowsHookEx 761E98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] USER32.dll!SetWinEventHook 761E9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\wbem\wmiprvse.exe[4088] USER32.dll!UnhookWinEvent 761EC06F 5 Bytes JMP 000803FC ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00350002 IAT C:\Windows\system32\services.exe[720] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00350000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1812] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7376F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3292] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7376F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\BTHUSB \Device\00000071 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\BTHUSB \Device\0000006f bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2eb323 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2eb323@a0759191a12d 0x50 0x63 0x58 0x2F ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2eb323 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2eb323@a0759191a12d 0x50 0x63 0x58 0x2F ... ---- EOF - GMER 1.0.15 ----