GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-30 14:56:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 ST316081 rev.3.AA 149,05GB Running: 6iw6049q.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\afrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1808] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1828] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072d31a22 2 bytes [D3, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072d31ad0 2 bytes [D3, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072d31b08 2 bytes [D3, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072d31bba 2 bytes [D3, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072d31bda 2 bytes [D3, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[1892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010024075c .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001002403a4 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100240b14 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100240ecc .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010024163c .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100241284 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001002419f4 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\svchost.exe[2704] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 00000001003d075c .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001003d03a4 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 00000001003d0b14 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 00000001003d0ecc .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 00000001003d163c .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 00000001003d1284 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001003d19f4 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\taskhost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010018163c .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001001819f4 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\Dwm.exe[2972] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2984] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100110600 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010011075c .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001001103a4 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100110b14 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100110ecc .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010011163c .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100111284 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001001119f4 .text C:\Windows\Explorer.EXE[2500] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\Explorer.EXE[2500] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010035075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001003503a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100350b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100350ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010035163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100351284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001003519f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2872] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 00000001001c075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001001c03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 00000001001c0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 00000001001c0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 00000001001c163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 00000001001c1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001001c19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2680] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2436] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1032] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 00000001003e0a08 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010018163c .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001001819f4 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\SearchIndexer.exe[3856] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3164] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010017075c .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001001703a4 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100170b14 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100170ecc .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010017163c .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100171284 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001001719f4 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\System32\svchost.exe[3820] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 000000010038075c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001003803a4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 0000000100380b14 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 0000000100380ecc .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 000000010038163c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 0000000100381284 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001003819f4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076dc3ae0 5 bytes JMP 00000001002a075c .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076dc7a90 5 bytes JMP 00000001002a03a4 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076df1490 5 bytes JMP 00000001002a0b14 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076df14f0 5 bytes JMP 00000001002a0ecc .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076df15d0 5 bytes JMP 00000001002a163c .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076df1810 5 bytes JMP 00000001002a1284 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076df2840 5 bytes JMP 00000001002a19f4 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe2b6e00 5 bytes JMP 000007ff7e2d1dac .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe2b6f2c 5 bytes JMP 000007ff7e2d0ecc .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe2b7220 5 bytes JMP 000007ff7e2d1284 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe2b739c 5 bytes JMP 000007ff7e2d163c .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe2b7538 5 bytes JMP 000007ff7e2d19f4 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe2b75e8 5 bytes JMP 000007ff7e2d03a4 .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe2b790c 5 bytes JMP 000007ff7e2d075c .text C:\Windows\system32\wuauclt.exe[5036] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe2b7ab4 5 bytes JMP 000007ff7e2d0b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100221014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100220804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100220a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100220c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100220e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001002201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001002203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100220600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4468] entry point in ".rdata" section 00000000744071e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x285628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100310600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100310804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x285668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x2855a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x285528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x285728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x285768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100310c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x2856e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x2856a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x285468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x2854a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100310a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x285428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x2855e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x285568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x2854e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100310e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001003101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001003103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001003201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001003203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000100320600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000100320804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100320a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 00000001003e1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 00000001003e0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 00000001003e0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x469628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 00000001004c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 00000001004c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x469668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x4695a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x469528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x469728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x469768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 00000001004c0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x4696e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x4696a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x469468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x4694a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 00000001004c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x469428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x4695e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x469568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x4694e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 00000001004c0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001004c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001004c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001004d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001004d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 00000001004d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 00000001004d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 00000001004d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100521014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100520804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100520a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100520c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100520e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001005201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001005203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100520600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0xc21a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100e70600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100e70804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0xc21a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0xc219a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0xc21928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0xc21b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0xc21b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100e70c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0xc21ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0xc21aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0xc21868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0xc218a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100e70a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0xc21828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0xc219e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0xc21968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0xc218e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100e70e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 0000000100e701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 0000000100e703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 0000000100e801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 0000000100e803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000100e80600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000100e80804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100e80a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100e91014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100e90804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100e90a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100e90c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100e90e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 0000000100e901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 0000000100e903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100e90600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x8a8628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 00000001008f0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 00000001008f0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x8a8668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x8a85a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x8a8528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x8a8728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x8a8768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 00000001008f0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x8a86e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x8a86a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x8a8468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x8a84a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 00000001008f0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x8a8428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x8a85e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x8a8568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x8a84e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 00000001008f0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001008f01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001008f03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001009801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001009803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000100980600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000100980804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100980a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100991014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100990804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100990a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100990c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100990e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001009901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001009903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100990600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0xe5b228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100f20600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100f20804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0xe5b268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0xe5b1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0xe5b128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0xe5b328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0xe5b368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100f20c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0xe5b2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0xe5b2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0xe5b068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0xe5b0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100f20a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0xe5b028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0xe5b1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0xe5b168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0xe5b0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100f20e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 0000000100f201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 0000000100f203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 0000000100f301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 0000000100f303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 3 bytes JMP 0000000100f30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA + 4 0000000076678368 1 byte [8A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 3 bytes JMP 0000000100f30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW + 4 00000000766806b7 1 byte [8A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100f30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100f41014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100f40804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100f40a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100f40c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100f40e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 0000000100f401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 0000000100f403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100f40600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f991 7 bytes {MOV EDX, 0x1022628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000101170600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000101170804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbd5 7 bytes {MOV EDX, 0x1022668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc05 7 bytes {MOV EDX, 0x10225a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc1d 7 bytes {MOV EDX, 0x1022528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc35 7 bytes {MOV EDX, 0x1022728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc65 7 bytes {MOV EDX, 0x1022768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000101170c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fce5 7 bytes {MOV EDX, 0x10226e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fcfd 7 bytes {MOV EDX, 0x10226a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd49 7 bytes {MOV EDX, 0x1022468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe41 7 bytes {MOV EDX, 0x10224a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000101170a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa0099 7 bytes {MOV EDX, 0x1022428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10a5 7 bytes {MOV EDX, 0x10225e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa111d 7 bytes {MOV EDX, 0x1022568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1321 7 bytes {MOV EDX, 0x10224e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000101170e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001011701f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001011703fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001011801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001011803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000101180600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000101180804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000101180a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000101191014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000101190804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000101190a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000101190c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000101190e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001011901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001011903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000101190600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fa1465 2 bytes [FA, 74] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fa14bb 2 bytes [FA, 74] .text ... * 2 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f9faa0 5 bytes JMP 0000000100240600 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f9fb38 5 bytes JMP 0000000100240804 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f9fc90 5 bytes JMP 0000000100240c0c .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076fa0018 5 bytes JMP 0000000100240a08 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076fa1900 5 bytes JMP 0000000100240e10 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fbc45a 5 bytes JMP 00000001002401f8 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fc1217 5 bytes JMP 00000001002403fc .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755aa30a 1 byte [62] .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076ad5181 5 bytes JMP 0000000100251014 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076ad5254 5 bytes JMP 0000000100250804 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076ad53d5 5 bytes JMP 0000000100250a08 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076ad54c2 5 bytes JMP 0000000100250c0c .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076ad55e2 5 bytes JMP 0000000100250e10 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076ad567c 5 bytes JMP 00000001002501f8 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076ad589f 5 bytes JMP 00000001002503fc .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076ad5a22 5 bytes JMP 0000000100250600 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007666f0e6 5 bytes JMP 00000001002601f8 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076673907 5 bytes JMP 00000001002603fc .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076678364 5 bytes JMP 0000000100260600 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766806b3 5 bytes JMP 0000000100260804 .text C:\Users\Micha許Downloads\6iw6049q.exe[4364] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076690efc 5 bytes JMP 0000000100260a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3164:3236] 000007fefd120168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3164:2144] 000007fefafe2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3164:2052] 000007fee9a8d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3164:2016] 000007fef8b45124 Thread C:\Windows\System32\svchost.exe [4624:5008] 000007fee8359688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----