GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-15 22:13:17 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01 Running: n51t8qqn.exe; Driver: C:\Users\Dom\AppData\Local\Temp\kfddapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x91E1F708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x92C877C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x91E2011C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x91E2AF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x91E2AF74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x91E2B0F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x91E2AE96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x92C87BBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x91E2AEDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x91E20310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x91E2B0B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x91E20A9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x91E1F756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x92C878AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x91E1F3BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x91E1F7A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x91E24456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x91E21464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x91E2AF52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x91E2AF96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x91E2B11A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x91E2AEBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x91E2B03A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x91E2AF06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x91E2B0D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x92C87A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x91E21330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x91E20EDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x91E1F7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x91E1F840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x91E2091C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x91E1F448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x91E1F5F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x91E1F59E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x91E20BFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x91E20D5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x91E1F668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x92C87AF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x91E20794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x91E1F88E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x92C87962] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x91E20498] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x92C9F966] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82CCB7D0 4 Bytes [08, F7, E1, 91] {OR BH, DH; LOOPZ 0xffffffffffffff95} .text ntkrnlpa.exe!KeSetEvent + 131 82CCB7F4 4 Bytes [C8, 77, C8, 92] {ENTER 0xc877, 0x92} .text ntkrnlpa.exe!KeSetEvent + 191 82CCB854 4 Bytes JMP E2011C82 .text ntkrnlpa.exe!KeSetEvent + 1D1 82CCB894 8 Bytes [28, AF, E2, 91, 74, AF, E2, ...] {SUB [EDI-0x508b6e1e], CH; LOOP 0xffffffffffffff99} .text ntkrnlpa.exe!KeSetEvent + 1DD 82CCB8A0 4 Bytes [F6, B0, E2, 91] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82DF6633 5 Bytes JMP 92C9C806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82E4F593 5 Bytes JMP 92C9E320 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82E58EB8 4 Bytes CALL 91E21B07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82E5CB2C 4 Bytes CALL 91E21B1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EB0E8C 7 Bytes JMP 92C9F96A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AF5C480, 0x3C939, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AF9D900, 0x3CA, 0x48000040] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[228] kernel32.dll!SetUnhandledExceptionFilter 7743A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[228] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001401F8 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001403FC .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00160600 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00160804 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00160A08 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001601F8 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001603FC .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001703FC .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00170600 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00171014 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00170804 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00170A08 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00170C0C .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00170E10 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe[308] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[320] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001501F8 .text C:\Windows\system32\igfxsrvc.exe[320] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001503FC .text C:\Windows\system32\igfxsrvc.exe[320] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[320] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxsrvc.exe[320] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxsrvc.exe[320] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxsrvc.exe[320] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[320] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxsrvc.exe[320] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\svchost.exe[396] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\csrss.exe[620] KERNEL32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\wininit.exe[656] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\csrss.exe[676] KERNEL32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\services.exe[708] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text ... .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000901F8 .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000903FC .text C:\Windows\system32\svchost.exe[1120] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000B01F8 .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[1276] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001501F8 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001503FC .text C:\Program Files\iTunes\iTunesHelper.exe[1308] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001703FC .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00170600 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00171014 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00170804 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00170A08 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00170C0C .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00170E10 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001701F8 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00180600 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00180804 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00180A08 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001801F8 .text C:\Program Files\iTunes\iTunesHelper.exe[1308] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001803FC .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1332] KERNEL32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[1384] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[1432] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001501F8 .text C:\Windows\System32\igfxpers.exe[1432] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001503FC .text C:\Windows\System32\igfxpers.exe[1432] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[1432] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00170600 .text C:\Windows\System32\igfxpers.exe[1432] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00170804 .text C:\Windows\System32\igfxpers.exe[1432] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00170A08 .text C:\Windows\System32\igfxpers.exe[1432] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001701F8 .text C:\Windows\System32\igfxpers.exe[1432] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001703FC .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001803FC .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00180600 .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00181014 .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00180804 .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00180A08 .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00180C0C .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00180E10 .text C:\Windows\System32\igfxpers.exe[1432] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001401F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001403FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00160600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00160804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00160A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00171014 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00170C0C .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00170E10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001701F8 .text C:\ProgramData\DatacardService\DCService.exe[1484] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[1508] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001501F8 .text C:\Windows\System32\hkcmd.exe[1508] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001503FC .text C:\Windows\System32\hkcmd.exe[1508] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[1508] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00180600 .text C:\Windows\System32\hkcmd.exe[1508] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00180804 .text C:\Windows\System32\hkcmd.exe[1508] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00180A08 .text C:\Windows\System32\hkcmd.exe[1508] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001801F8 .text C:\Windows\System32\hkcmd.exe[1508] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001803FC .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001903FC .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00190600 .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00191014 .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00190804 .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00190A08 .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00190C0C .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00190E10 .text C:\Windows\System32\hkcmd.exe[1508] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001901F8 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000503FC .text C:\Program Files\Windows Defender\MSASCui.exe[1604] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000703FC .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00070600 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00071014 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00070804 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00070C0C .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00070E10 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00080600 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00080804 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Defender\MSASCui.exe[1604] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\Dwm.exe[1752] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001401F8 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001403FC .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00160600 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00160804 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00160A08 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001703FC .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00170600 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00171014 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00170804 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00170A08 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00170C0C .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00170E10 .text C:\Program Files\Realtek\RTL8187B Wireless LAN Utility\RtlService.exe[1760] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\svchost.exe[1796] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1884] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\Explorer.EXE[1960] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001401F8 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001403FC .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00160600 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00160804 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00160A08 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001601F8 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001603FC .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001703FC .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00170600 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00171014 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00170804 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00170A08 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00170C0C .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00170E10 .text C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe[2076] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001701F8 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000401F8 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000403FC .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] kernel32.dll!SetUnhandledExceptionFilter 7743A8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00060600 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00060804 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00060A08 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 000601F8 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 000603FC .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000703FC .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00070600 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00071014 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00070804 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00070A08 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00070C0C .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00070E10 .text C:\Program Files\real\realplayer\Update\realsched.exe[2128] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000701F8 .text C:\Windows\ehome\ehtray.exe[2148] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000501F8 .text C:\Windows\ehome\ehtray.exe[2148] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000503FC .text C:\Windows\ehome\ehtray.exe[2148] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000A03FC .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 000A0600 .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 000A1014 .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 000A0804 .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 000A0A08 .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 000A0C0C .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 000A0E10 .text C:\Windows\ehome\ehtray.exe[2148] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000A01F8 .text C:\Windows\ehome\ehtray.exe[2148] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 000B0600 .text C:\Windows\ehome\ehtray.exe[2148] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 000B0804 .text C:\Windows\ehome\ehtray.exe[2148] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 000B0A08 .text C:\Windows\ehome\ehtray.exe[2148] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 000B01F8 .text C:\Windows\ehome\ehtray.exe[2148] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 000B03FC .text C:\Windows\ehome\ehmsas.exe[2312] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000401F8 .text C:\Windows\ehome\ehmsas.exe[2312] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000403FC .text C:\Windows\ehome\ehmsas.exe[2312] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000603FC .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00060600 .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00061014 .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00060804 .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00060A08 .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00060C0C .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00060E10 .text C:\Windows\ehome\ehmsas.exe[2312] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000601F8 .text C:\Windows\ehome\ehmsas.exe[2312] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00070600 .text C:\Windows\ehome\ehmsas.exe[2312] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00070804 .text C:\Windows\ehome\ehmsas.exe[2312] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00070A08 .text C:\Windows\ehome\ehmsas.exe[2312] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 000701F8 .text C:\Windows\ehome\ehmsas.exe[2312] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 000703FC .text C:\Users\Dom\AppData\Roaming\blueconnect\ouc.exe[2364] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001601F8 .text C:\Users\Dom\AppData\Roaming\blueconnect\ouc.exe[2364] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001603FC .text C:\Users\Dom\AppData\Roaming\blueconnect\ouc.exe[2364] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\iPod\bin\iPodService.exe[2716] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000501F8 .text C:\Program Files\iPod\bin\iPodService.exe[2716] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000503FC .text C:\Program Files\iPod\bin\iPodService.exe[2716] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000703FC .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00070600 .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00071014 .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00070804 .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00070A08 .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00070C0C .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00070E10 .text C:\Program Files\iPod\bin\iPodService.exe[2716] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000701F8 .text C:\Program Files\iPod\bin\iPodService.exe[2716] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00080600 .text C:\Program Files\iPod\bin\iPodService.exe[2716] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00080804 .text C:\Program Files\iPod\bin\iPodService.exe[2716] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00080A08 .text C:\Program Files\iPod\bin\iPodService.exe[2716] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 000801F8 .text C:\Program Files\iPod\bin\iPodService.exe[2716] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 000803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001501F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001503FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00180600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00181014 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00180C0C .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00180E10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3024] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\svchost.exe[3188] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[3188] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[3188] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[3188] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 000701F8 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001601F8 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001603FC .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00170600 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00170804 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00170A08 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 001703FC .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 001903FC .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00190600 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00191014 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00190804 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00190A08 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00190C0C .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00190E10 .text C:\Program Files\Google\Update\GoogleUpdate.exe[3236] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 001901F8 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ntdll.dll!LdrLoadDll 77BF9378 5 Bytes JMP 001501F8 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ntdll.dll!LdrUnloadDll 77C0B680 5 Bytes JMP 001503FC .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] kernel32.dll!GetBinaryTypeW + 70 77462467 1 Byte [62] .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!CreateServiceW 76479EB4 5 Bytes JMP 002503FC .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!DeleteService 7647A07E 5 Bytes JMP 00250600 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!SetServiceObjectSecurity 764B6CD9 5 Bytes JMP 00251014 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!ChangeServiceConfigA 764B6DD9 5 Bytes JMP 00250804 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!ChangeServiceConfigW 764B6F81 5 Bytes JMP 00250A08 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!ChangeServiceConfig2A 764B7099 5 Bytes JMP 00250C0C .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!ChangeServiceConfig2W 764B71E1 5 Bytes JMP 00250E10 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] ADVAPI32.dll!CreateServiceA 764B72A1 5 Bytes JMP 002501F8 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] USER32.dll!SetWindowsHookExA 76366322 5 Bytes JMP 00360600 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] USER32.dll!SetWindowsHookExW 763687AD 5 Bytes JMP 00360804 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] USER32.dll!UnhookWindowsHookEx 763698DB 5 Bytes JMP 00360A08 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] USER32.dll!SetWinEventHook 76369F3A 5 Bytes JMP 003601F8 .text C:\Users\Dom\Desktop\n51t8qqn.exe[3876] USER32.dll!UnhookWinEvent 7636C06F 5 Bytes JMP 003603FC ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[228] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!RegOpenKeyExA] [000515A0] C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (avast! Service/AVAST Software) IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[228] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [74F8F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000E0002 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000E0000 IAT C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1884] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [74F8F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74B87817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74BCB4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74B8BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74B7F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74B875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74B7E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74BB73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74B8DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74B7FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74B7FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74B771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C0CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74BAC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74B7D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74B76853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74B7687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74B82AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----