GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-16 06:15:48 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEKT-22KA9T0 rev.01.01A01 298.09GB Running: ff2llu1p.exe; Driver: C:\Users\Magda\AppData\Local\Temp\pwlirfow.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8D6204BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8DA16C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8D620ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8D62BFA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8D62BFF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8D62C176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8D62BF16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8DA16FA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8D62BF5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8D62111C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8D62C130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8D62193E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8D620508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8DA16CEA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8DA153EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8D620556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8D625534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8D6223A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8D62BFD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8D62C016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8D62C19A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8D62BF3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8D62C0BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8D62BF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8D62C154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8DA16E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8D622272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x8D621DD4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8D6205A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8D6205F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8D6217BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8D6201FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8D6203AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8D620350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8D621AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8D621C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8D62041A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8DA16EFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8D621636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x8DA1541C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8D620640] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8DA16D96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8D6212F4] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8DA2FE56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82CE97D0 4 Bytes [BA, 04, 62, 8D] .text ntkrnlpa.exe!KeSetEvent + 131 82CE97F4 4 Bytes [22, 6C, A1, 8D] {AND CH, [ECX-0x73]} .text ntkrnlpa.exe!KeSetEvent + 191 82CE9854 4 Bytes [D6, 0E, 62, 8D] .text ntkrnlpa.exe!KeSetEvent + 1D1 82CE9894 8 Bytes [A8, BF, 62, 8D, F4, BF, 62, ...] {TEST AL, 0xbf; BOUND ECX, [EBP-0x729d400c]} .text ntkrnlpa.exe!KeSetEvent + 1DE 82CE98A1 3 Bytes [C1, 62, 8D] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E14633 5 Bytes JMP 8DA2CCF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82E6D593 5 Bytes JMP 8DA2E810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82E76EB8 4 Bytes CALL 8D622A8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82E7AB2C 4 Bytes CALL 8D622AA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82ECEE8C 7 Bytes JMP 8DA2FE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text ntdll.dll!LdrLoadDll 77A79378 5 Bytes [E9, 7B, 6E, 6E, 88] {JMP 0x886e6e80} .text ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes [E9, 77, 4D, 6D, 88] {JMP 0x886d4d7c} ---- User code sections - GMER 2.0 ---- .text C:\Windows\System32\spoolsv.exe[328] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[388] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[480] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\csrss.exe[596] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\wininit.exe[652] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text ... .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 005801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 005803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, D0, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, D3, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, D0, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, D1, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, D2, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, D1, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, D2, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, D0, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, D1, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, D2, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, D3, 52, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00590600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00590804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00590A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 005901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 005903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 005A03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 005A0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 005A1014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 005A0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 005A0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 005A0C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 005A0E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1272] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 005A01F8 .text C:\Windows\system32\AUDIODG.EXE[1304] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00180600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00181014 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00180C0C .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00180E10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1392] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\Ati2evxx.exe[1396] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1420] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000501F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000503FC .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000603FC .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00060600 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00061014 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00060804 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00060A08 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00060C0C .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00060E10 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000601F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00070600 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00070804 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00070A08 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000701F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1460] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 003401F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 003403FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, F4, 1A, 00] {SUB AH, DH; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, F7, 1A, 00] {SUB BH, DH; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, F4, 1A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, F5, 1A, 00] {TEST AL, 0xf5; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, F6, 1A, 00] {TEST AL, 0xf6; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, F5, 1A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, F6, 1A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, F4, 1A, 00] {TEST AL, 0xf4; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, F5, 1A, 00] {SUB CH, DH; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, F6, 1A, 00] {SUB DH, DH; SBB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, F7, 1A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00350600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00350804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00350A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 003501F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 003503FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 003603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00360600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00361014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00360804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00360A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00360C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00360E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1628] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 003601F8 .text C:\Windows\system32\svchost.exe[1660] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 009601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 009603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, E0, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, E3, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, E0, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, E1, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, E2, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, E1, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, E2, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, E0, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, E1, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, E2, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, E3, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00970600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00970804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00970A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 009701F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 009703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 009803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00980600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00981014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00980804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00980A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00980C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00980E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1820] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 009801F8 .text C:\Windows\system32\Dwm.exe[1872] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1884] kernel32.dll!SetUnhandledExceptionFilter 7650A8B5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1884] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\Explorer.EXE[1912] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\afwServ.exe[1968] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2084] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2100] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00070600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00070804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00070A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00080600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00081014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00080804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00080A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00080C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00080E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2152] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000801F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2200] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2236] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2244] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\ehome\ehtray.exe[2252] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2260] kernel32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[2276] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00070C0C .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\wbem\wmiprvse.exe[2276] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 001903FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00190600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00191014 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00190804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00190A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00190C0C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00190E10 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2624] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 001901F8 .text C:\Windows\ehome\ehmsas.exe[2688] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000501F8 .text C:\Windows\ehome\ehmsas.exe[2688] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000503FC .text C:\Windows\ehome\ehmsas.exe[2688] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000603FC .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00060600 .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00061014 .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00060804 .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00060A08 .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00060C0C .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00060E10 .text C:\Windows\ehome\ehmsas.exe[2688] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000601F8 .text C:\Windows\ehome\ehmsas.exe[2688] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Windows\ehome\ehmsas.exe[2688] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Windows\ehome\ehmsas.exe[2688] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Windows\ehome\ehmsas.exe[2688] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Windows\ehome\ehmsas.exe[2688] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[2732] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[2732] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[2732] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000C03FC .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 000C1014 .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 000C0C0C .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 000C0E10 .text C:\Windows\system32\svchost.exe[2732] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 000E0600 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 000E0804 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 000E0A08 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000E01F8 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000E03FC .text C:\Windows\system32\svchost.exe[2836] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[2836] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[2836] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[2836] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[2836] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[2836] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[2836] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[2836] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[2836] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\svchost.exe[2940] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000101F8 .text C:\Windows\system32\svchost.exe[2940] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000103FC .text C:\Windows\system32\svchost.exe[2940] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[2940] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[2940] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[2940] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[2940] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[2940] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[2940] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 001D01F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 001D03FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 001E03FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 001E0600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 001E1014 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 001E0804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 001E0A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 001E0C0C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 001E0E10 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 001E01F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 001F0600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 001F0804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 001F0A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 001F01F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3008] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 001F03FC .text C:\Windows\system32\SearchIndexer.exe[3120] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3120] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3120] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[3120] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[3120] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[3120] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[3120] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[3120] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[3120] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\conime.exe[3172] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000901F8 .text C:\Windows\system32\conime.exe[3172] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000903FC .text C:\Windows\system32\conime.exe[3172] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000A03FC .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 000A0600 .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 000A1014 .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 000A0804 .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 000A0A08 .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 000A0C0C .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 000A0E10 .text C:\Windows\system32\conime.exe[3172] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000A01F8 .text C:\Windows\system32\conime.exe[3172] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 000B0600 .text C:\Windows\system32\conime.exe[3172] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 000B0804 .text C:\Windows\system32\conime.exe[3172] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 000B0A08 .text C:\Windows\system32\conime.exe[3172] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000B01F8 .text C:\Windows\system32\conime.exe[3172] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000B03FC .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 001601F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 001603FC .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 001703FC .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00170600 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00171014 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00170804 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00170A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00170C0C .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00170E10 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00180600 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00180804 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00180A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 001801F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[3208] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000501F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000503FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00060600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00061014 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00060804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00060A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00060C0C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00060E10 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 000B0600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 000B0804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 000B0A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000B01F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3460] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000B03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 009401F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 009403FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, 54, 8F, 00] {SUB [EDI+ECX*4+0x0], DL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, 57, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, 54, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, 55, 8F, 00] {TEST AL, 0x55; POP DWORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, 56, 8F, 00] {TEST AL, 0x56; POP DWORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, 55, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, 56, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, 54, 8F, 00] {TEST AL, 0x54; POP DWORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, 55, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, 56, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, 57, 8F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00950600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00950804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00950A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 009501F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 009503FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 009A03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 009A0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 009A1014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 009A0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 009A0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 009A0C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 009A0E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 009A01F8 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\unsecapp.exe[3720] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00070C0C .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\wbem\unsecapp.exe[3720] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\unsecapp.exe[3720] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Windows\system32\wbem\unsecapp.exe[3720] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Windows\system32\wbem\unsecapp.exe[3720] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\wbem\unsecapp.exe[3720] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\wbem\unsecapp.exe[3720] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 00B101F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 00B103FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, 68, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, 6B, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, 68, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, 69, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, 6A, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, 69, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, 6A, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, 68, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, 69, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, 6A, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, 6B, AB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00B20600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00B20804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00B20A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 00B201F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 00B203FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 00B303FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00B30600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00B31014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00B30804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00B30A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00B30C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00B30E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3732] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 00B301F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 009101F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 009103FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, 28, 8B, 00] {SUB [EAX], CH; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, 2B, 8B, 00] {SUB [EBX], CH; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, 28, 8B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, 29, 8B, 00] {TEST AL, 0x29; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, 2A, 8B, 00] {TEST AL, 0x2a; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, 29, 8B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, 2A, 8B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, 28, 8B, 00] {TEST AL, 0x28; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, 29, 8B, 00] {SUB [ECX], CH; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, 2A, 8B, 00] {SUB [EDX], CH; MOV EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, 2B, 8B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00920600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00920804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00920A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 009201F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 009203FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 009303FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00930600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00931014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00930804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00930A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00930C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00930E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3892] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 009301F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 00AE01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 00AE03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, 60, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, 63, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, 60, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, 61, A8, 00] {TEST AL, 0x61; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, 62, A8, 00] {TEST AL, 0x62; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, 61, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, 62, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, 60, A8, 00] {TEST AL, 0x60; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, 61, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, 62, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, 63, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00AF0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00AF0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00AF0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 00AF01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 00AF03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 00B003FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00B00600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00B01014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00B00804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00B00A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00B00C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00B00E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3908] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 00B001F8 .text C:\Windows\system32\svchost.exe[4060] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[4060] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[4060] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[4060] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[4060] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[4060] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[4060] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[4060] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[4060] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000803FC .text C:\Program Files\K2T\WTW\wtw.exe[4160] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 000601F8 .text C:\Program Files\K2T\WTW\wtw.exe[4160] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 000603FC .text C:\Program Files\K2T\WTW\wtw.exe[4160] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 000803FC .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00080600 .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00081014 .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00080804 .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00080A08 .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00080C0C .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00080E10 .text C:\Program Files\K2T\WTW\wtw.exe[4160] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 000801F8 .text C:\Program Files\K2T\WTW\wtw.exe[4160] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00090600 .text C:\Program Files\K2T\WTW\wtw.exe[4160] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00090804 .text C:\Program Files\K2T\WTW\wtw.exe[4160] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00090A08 .text C:\Program Files\K2T\WTW\wtw.exe[4160] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 000901F8 .text C:\Program Files\K2T\WTW\wtw.exe[4160] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 000903FC .text C:\Program Files\Winamp\winamp.exe[4612] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 001601F8 .text C:\Program Files\Winamp\winamp.exe[4612] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 001603FC .text C:\Program Files\Winamp\winamp.exe[4612] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Winamp\winamp.exe[4612] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00170600 .text C:\Program Files\Winamp\winamp.exe[4612] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00170804 .text C:\Program Files\Winamp\winamp.exe[4612] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00170A08 .text C:\Program Files\Winamp\winamp.exe[4612] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Winamp\winamp.exe[4612] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 001703FC .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 001803FC .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00180600 .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00181014 .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00180804 .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00180A08 .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00180C0C .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00180E10 .text C:\Program Files\Winamp\winamp.exe[4612] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 001801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 00E501F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 00E503FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtCreateFile + 6 77AB424A 4 Bytes [28, 0C, DF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtCreateFile + B 77AB424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtMapViewOfSection + 6 77AB499A 4 Bytes [28, 0F, DF, 00] {SUB [EDI], CL; FILD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtMapViewOfSection + B 77AB499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenFile + 6 77AB4A2A 4 Bytes [68, 0C, DF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenFile + B 77AB4A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenProcess + 6 77AB4AAA 4 Bytes [A8, 0D, DF, 00] {TEST AL, 0xd; FILD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenProcess + B 77AB4AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenProcessToken + B 77AB4ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenProcessTokenEx + 6 77AB4ACA 4 Bytes [A8, 0E, DF, 00] {TEST AL, 0xe; FILD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenProcessTokenEx + B 77AB4ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenThread + 6 77AB4B1A 4 Bytes [68, 0D, DF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenThread + B 77AB4B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenThreadToken + 6 77AB4B2A 4 Bytes [68, 0E, DF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenThreadToken + B 77AB4B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtOpenThreadTokenEx + B 77AB4B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtQueryAttributesFile + 6 77AB4BCA 4 Bytes [A8, 0C, DF, 00] {TEST AL, 0xc; FILD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtQueryAttributesFile + B 77AB4BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtQueryFullAttributesFile + B 77AB4C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtSetInformationFile + 6 77AB515A 4 Bytes [28, 0D, DF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtSetInformationFile + B 77AB515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtSetInformationThread + 6 77AB51AA 4 Bytes [28, 0E, DF, 00] {SUB [ESI], CL; FILD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtSetInformationThread + B 77AB51AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtUnmapViewOfSection + 6 77AB544A 4 Bytes [68, 0F, DF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ntdll.dll!NtUnmapViewOfSection + B 77AB544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00E60600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00E60804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00E60A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 00E601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 00E603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 00E703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00E70600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00E71014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00E70804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00E70A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00E70C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00E70E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[8412] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 00E701F8 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ntdll.dll!LdrLoadDll 77A79378 5 Bytes JMP 001601F8 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ntdll.dll!LdrUnloadDll 77A8B680 5 Bytes JMP 001603FC .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] KERNEL32.dll!GetBinaryTypeW + 70 76532447 1 Byte [62] .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!CreateServiceW 777E9EB4 5 Bytes JMP 001703FC .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!DeleteService 777EA07E 5 Bytes JMP 00170600 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!SetServiceObjectSecurity 77826CD9 5 Bytes JMP 00171014 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!ChangeServiceConfigA 77826DD9 5 Bytes JMP 00170804 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!ChangeServiceConfigW 77826F81 5 Bytes JMP 00170A08 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!ChangeServiceConfig2A 77827099 5 Bytes JMP 00170C0C .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!ChangeServiceConfig2W 778271E1 5 Bytes JMP 00170E10 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] ADVAPI32.dll!CreateServiceA 778272A1 5 Bytes JMP 001701F8 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] USER32.dll!SetWindowsHookExA 76416322 5 Bytes JMP 00180600 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] USER32.dll!SetWindowsHookExW 764187AD 5 Bytes JMP 00180804 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] USER32.dll!UnhookWindowsHookEx 764198DB 5 Bytes JMP 00180A08 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] USER32.dll!SetWinEventHook 76419F3A 5 Bytes JMP 001801F8 .text C:\Users\Magda\Downloads\ff2llu1p.exe[9560] USER32.dll!UnhookWinEvent 7641C06F 5 Bytes JMP 001803FC ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\system32\services.exe[696] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 001B0002 IAT C:\Windows\system32\services.exe[696] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 001B0000 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1272] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00550010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1628] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 001D0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1820] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00930010 IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1884] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73E7F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A87817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74ACB4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A8BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A7F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A7E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74AB73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74A8DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A7FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A7FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B0CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AAC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A7D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A76853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A7687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A82AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Alwil Software\Avast5\afwServ.exe[1968] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73E7F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2236] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73E7F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3476] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00910010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3732] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00AE0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3892] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 008E0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3908] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00AB0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[8412] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00E20010 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@DisplayName Microsoft Boot Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@Type 32 Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@Start 2 Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops@Description Provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. If this service is disabled, any services that depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\gnfhjqops\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll ---- EOF - GMER 2.0 ----