GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-23 23:05:53 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000005e WDC_WD2500KS-00MJB0 rev.02.01C03 Running: uxh09upl.exe; Driver: C:\DOCUME~1\dom\USTAWI~1\Temp\kxtdapog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF2FDC4C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF30B1C36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xF2FDCEDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF301E7A1] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF2FE7EEE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF2FE7F3A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF2FE80BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF301E155] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF2FE7E5C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF2FE7F7E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF2FE7EA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xF2FDD124] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF2FE8076] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xF2FDD946] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF2FDC510] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF301EE67] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF301F11D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF2FE1108] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF301ECD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF301EB3D] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF30B1CFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF2FDC178] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF2FDC55E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF2FE147A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF2FDE3AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF2FE7F18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF2FE7F5C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF2FE80E0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF301E4B1] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF2FE7E82] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF2FE0C46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF2FE8000] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF2FE7ECC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF2FE0EB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF2FE809A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF30B1E5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF301E9B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF2FDE27A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF301E80A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xF2FDDDDC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF30BE786] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF301D7C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF2FDC5AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF2FDC5FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xF2FDD7C6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF2FDC202] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF2FDC3B2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF301EF6E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF2FDC358] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xF2FDDB00] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xF2FDDC5C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF2FDC422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xF2FDD4DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xF2FDD63E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xF30B0468] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF2FDC648] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xF2FDCF22] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF30CAE16] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 25FC 80501E4C 4 Bytes [B8, E9, 01, F3] .text ntkrnlpa.exe!ZwCallbackReturn + 2640 80501E90 4 Bytes [0A, E8, 01, F3] {OR CH, AL; ADD EBX, ESI} .text ntkrnlpa.exe!ZwCallbackReturn + 26C8 80501F18 12 Bytes [AC, C5, FD, F2, FA, C5, FD, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501FC0 12 Bytes [00, DB, FD, F2, 5C, DC, FD, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5E5E3C0, 0x843B7A, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Java\jre7\bin\jqs.exe[192] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[192] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\LGScsiCommandService.exe[368] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\LGScsiCommandService.exe[368] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[436] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[436] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\HPZipm12.exe[544] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\HPZipm12.exe[544] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[648] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00991014 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00990804 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00990A08 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00990C0C .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00990E10 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 009901F8 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 009903FC .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[704] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00990600 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 013E0804 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 013E0A08 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 013E0600 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 013E01F8 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 013E03FC .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 01B61014 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 01B60804 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 01B60A08 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 01B60C0C .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 01B60E10 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 01B601F8 .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 01B603FC .text C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe[720] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 01B60600 .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[884] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[952] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00DB1014 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00DB0804 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00DB0A08 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00DB0C0C .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00DB0E10 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00DB01F8 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00DB03FC .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00DB0600 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00DC0804 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00DC0A08 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00DC0600 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00DC01F8 .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[988] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 00DC03FC .text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1216] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1216] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1260] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1260] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00B70804 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00B70A08 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00B70600 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00B701F8 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 00B703FC .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00E71014 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00E70804 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00E70A08 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00E70C0C .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00E70E10 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00E701F8 .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00E703FC .text C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe[1336] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00E70600 .text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\Logitech\Vid\Vid.exe[1536] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Logitech\Vid\Vid.exe[1536] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 02F80804 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 02F80A08 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 02F80600 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 02F801F8 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 02F803FC .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 02F71014 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 02F70804 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 02F70A08 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 02F70C0C .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 02F70E10 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 02F701F8 .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 02F703FC .text C:\Program Files\Logitech\Vid\Vid.exe[1536] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 02F70600 .text C:\WINDOWS\RTHDCPL.EXE[1572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1572] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1588] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1588] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1632] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1632] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1700] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1700] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1700] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe[1708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1768] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1768] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\RunDLL32.exe[1788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RunDLL32.exe[1788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1812] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1916] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1960] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe[1960] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2004] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\alg.exe[2052] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2052] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\alg.exe[2052] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003201F8 .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003203FC .text C:\WINDOWS\system32\ctfmon.exe[2160] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 003F1014 .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 003F0804 .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 003F0A08 .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 003F0C0C .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 003F0E10 .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003F01F8 .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F03FC .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 003F0600 .text C:\WINDOWS\system32\ntvdm.exe[2212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 022F01F8 .text C:\WINDOWS\system32\ntvdm.exe[2212] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ntvdm.exe[2212] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 022F03FC .text C:\WINDOWS\system32\ntvdm.exe[2212] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 02B61014 .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 02B60804 .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 02B60A08 .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 02B60C0C .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 02B60E10 .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 02B601F8 .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 02B603FC .text C:\WINDOWS\system32\ntvdm.exe[2212] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 02B60600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 04, 7E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 07, 7E, 00] {SUB [EDI], AL; JLE 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 04, 7E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 05, 7E, 00] {TEST AL, 0x5; JLE 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91541E .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 06, 7E, 00] {TEST AL, 0x6; JLE 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 05, 7E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 06, 7E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91548F .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 04, 7E, 00] {TEST AL, 0x4; JLE 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9155BD .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 05, 7E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 06, 7E, 00] {SUB [ESI], AL; JLE 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 07, 7E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00AC01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 00AC03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 01091014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 01090804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 01090A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 01090C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 01090E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 010901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 010903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 01090600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01870804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 01870A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 01870600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 018701F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2820] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 018703FC .text C:\WINDOWS\system32\svchost.exe[2844] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[2844] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2844] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[2844] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00AC1014 .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00AC0804 .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00AC0A08 .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00AC0C0C .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00AC0E10 .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00AC01F8 .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00AC03FC .text C:\WINDOWS\system32\svchost.exe[2844] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00AC0600 .text C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe[3024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe[3024] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe[3024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe[3024] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01170804 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 01170A08 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 01170600 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 011701F8 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 011703FC .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 01141014 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 01140804 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 01140A08 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 01140C0C .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 01140E10 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 011401F8 .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 011403FC .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3152] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 01140600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 30, 2B, 00] {SUB [EAX], DH; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 33, 2B, 00] {SUB [EBX], DH; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 30, 2B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 31, 2B, 00] {TEST AL, 0x31; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91014A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 32, 2B, 00] {TEST AL, 0x32; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 31, 2B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 32, 2B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B9101BB .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 30, 2B, 00] {TEST AL, 0x30; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9102E9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 31, 2B, 00] {SUB [ECX], DH; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 32, 2B, 00] {SUB [EDX], DH; SUB EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 33, 2B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 006E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 006E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00A31014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00A30804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00A30A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00A30C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00A30E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00A301F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00A303FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00A30600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01210804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 01210A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 01210600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 012101F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3452] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 012103FC .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00C21014 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00C20804 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00C20A08 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00C20C0C .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00C20E10 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!CreateServiceA 77E27211 5 Bytes JMP 00C201F8 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00C203FC .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] advapi32.dll!DeleteService 77E274B1 5 Bytes JMP 00C20600 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] USER32.dll!SetWindowsHookExW 7E37820F 3 Bytes JMP 00C30804 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] USER32.dll!SetWindowsHookExW + 4 7E378213 1 Byte [82] .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00C30A08 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00C30600 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 00C301F8 .text C:\Program Files\totalcmd\TOTALCMD.EXE[3496] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 00C303FC .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 009C1014 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 009C0804 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 009C0A08 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 009C0C0C .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 009C0E10 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 009C01F8 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 009C03FC .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 009C0600 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009D0804 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 009D0A08 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 009D0600 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 009D01F8 .text C:\Documents and Settings\dom\Pulpit\GMER\uxh09upl.exe[3672] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 009D03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00F01014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00F00804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00F00A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00F00C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00F00E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00F001F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00F003FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00F00600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 011C0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 011C0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 011C0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 011C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4004] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 011C03FC ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[952] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[952] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1632] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\PROGRA~1\ALWILS~1\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1700] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2820] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00910010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3452] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003F0010 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 1.0.15 ----