GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-01 21:50:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: bmuztts0.exe; Driver: C:\Users\evik\AppData\Local\Temp\fwldikob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800031ab000 64 bytes [00, 00, 33, 00, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 626 fffff800031ab042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\services.exe[632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[2032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe[1072] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe[1760] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[2180] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2324] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100030600 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100030804 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100030a08 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71900 5 bytes JMP 0000000100030e10 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000303fc .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749ee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000774a3982 5 bytes JMP 00000001000a03fc .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774a7603 5 bytes JMP 00000001000a0804 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a835c 5 bytes JMP 00000001000a0600 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000774bf52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076e05181 5 bytes JMP 0000000100131014 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076e05254 5 bytes JMP 0000000100130804 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076e053d5 5 bytes JMP 0000000100130a08 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076e054c2 5 bytes JMP 0000000100130c0c .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076e055e2 5 bytes JMP 0000000100130e10 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076e0567c 5 bytes JMP 00000001001301f8 .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076e0589f 5 bytes JMP 00000001001303fc .text C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe[2416] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076e05a22 5 bytes JMP 0000000100130600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010019075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001903a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100190b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100190ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 000000010019163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100191284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 00000001001919f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff116e00 5 bytes JMP 000007ff7f131dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff116f2c 5 bytes JMP 000007ff7f130ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff117220 5 bytes JMP 000007ff7f131284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff11739c 5 bytes JMP 000007ff7f13163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff117538 5 bytes JMP 000007ff7f1319f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1175e8 5 bytes JMP 000007ff7f1303a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff11790c 5 bytes JMP 000007ff7f13075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2448] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff117ab4 5 bytes JMP 000007ff7f130b14 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010037075c .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 000000010037163c .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100371284 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 00000001003719f4 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff116e00 5 bytes JMP 000007ff7f131dac .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff116f2c 5 bytes JMP 000007ff7f130ecc .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff117220 5 bytes JMP 000007ff7f131284 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff11739c 5 bytes JMP 000007ff7f13163c .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff117538 5 bytes JMP 000007ff7f1319f4 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1175e8 5 bytes JMP 000007ff7f1303a4 .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff11790c 5 bytes JMP 000007ff7f13075c .text C:\Windows\system32\svchost.exe[2472] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff117ab4 5 bytes JMP 000007ff7f130b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff116e00 5 bytes JMP 000007ff7f131dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff116f2c 5 bytes JMP 000007ff7f130ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff117220 5 bytes JMP 000007ff7f131284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff11739c 5 bytes JMP 000007ff7f13163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff117538 5 bytes JMP 000007ff7f1319f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1175e8 5 bytes JMP 000007ff7f1303a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff11790c 5 bytes JMP 000007ff7f13075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2568] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff117ab4 5 bytes JMP 000007ff7f130b14 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076e05181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076e05254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076e053d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076e054c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076e055e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076e0567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076e0589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076e05a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000774a3982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774a7603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2732] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000774bf52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076e05181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076e05254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076e053d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076e054c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076e055e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076e0567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076e0589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076e05a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000774a3982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774a7603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000774bf52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff116e00 5 bytes JMP 000007ff7f131dac .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff116f2c 5 bytes JMP 000007ff7f130ecc .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff117220 5 bytes JMP 000007ff7f131284 .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff11739c 5 bytes JMP 000007ff7f13163c .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff117538 5 bytes JMP 000007ff7f1319f4 .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1175e8 5 bytes JMP 000007ff7f1303a4 .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff11790c 5 bytes JMP 000007ff7f13075c .text C:\Windows\system32\svchost.exe[3336] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff117ab4 5 bytes JMP 000007ff7f130b14 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001002b075c .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002b03a4 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001002b0b14 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001002b0ecc .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 00000001002b163c .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001002b1284 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 00000001002b19f4 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff116e00 5 bytes JMP 000007ff7f131dac .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff116f2c 5 bytes JMP 000007ff7f130ecc .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff117220 5 bytes JMP 000007ff7f131284 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff11739c 5 bytes JMP 000007ff7f13163c .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff117538 5 bytes JMP 000007ff7f1319f4 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1175e8 5 bytes JMP 000007ff7f1303a4 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff11790c 5 bytes JMP 000007ff7f13075c .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff117ab4 5 bytes JMP 000007ff7f130b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076e05181 5 bytes JMP 0000000100191014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076e05254 5 bytes JMP 0000000100190804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076e053d5 5 bytes JMP 0000000100190a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076e054c2 5 bytes JMP 0000000100190c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076e055e2 5 bytes JMP 0000000100190e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076e0567c 5 bytes JMP 00000001001901f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076e0589f 5 bytes JMP 00000001001903fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076e05a22 5 bytes JMP 0000000100190600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749ee09 5 bytes JMP 00000001001a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000774a3982 5 bytes JMP 00000001001a03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774a7603 5 bytes JMP 00000001001a0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a835c 5 bytes JMP 00000001001a0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000774bf52b 5 bytes JMP 00000001001a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076e05181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076e05254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076e053d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076e054c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076e055e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076e0567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076e0589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076e05a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007749ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000774a3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000774a7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000774a835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000774bf52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010026075c .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002603a4 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100260b14 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100260ecc .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 5 bytes JMP 000000010026163c .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100261284 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c2840 5 bytes JMP 00000001002619f4 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff116e00 5 bytes JMP 000007ff7f131dac .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff116f2c 5 bytes JMP 000007ff7f130ecc .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff117220 5 bytes JMP 000007ff7f131284 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff11739c 5 bytes JMP 000007ff7f13163c .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff117538 5 bytes JMP 000007ff7f1319f4 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1175e8 5 bytes JMP 000007ff7f1303a4 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff11790c 5 bytes JMP 000007ff7f13075c .text C:\Windows\System32\svchost.exe[3160] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff117ab4 5 bytes JMP 000007ff7f130b14 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000077778550 5 bytes JMP 000000010031075c .text C:\Windows\System32\svchost.exe[3160] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000000007777d440 5 bytes JMP 0000000100311284 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007777f874 5 bytes JMP 0000000100310ecc .text C:\Windows\System32\svchost.exe[3160] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077784d4c 5 bytes JMP 00000001003103a4 .text C:\Windows\System32\svchost.exe[3160] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077798c20 5 bytes JMP 0000000100310b14 .text C:\Windows\system32\AUDIODG.EXE[1492] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000776aeecd 1 byte [62] .text C:\Users\evik\Desktop\miotla\bmuztts0.exe[916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007735a30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3360:3848] 000007fefea00168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3360:3864] 000007fefbc42a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3360:3920] 000007fef8a05124 Thread C:\Windows\System32\svchost.exe [3160:3712] 000007fef3939688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 13 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 46466 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 13 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 46466 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----