GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-20 23:21:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.11.0 298.09GB Running: m57g1hli.exe; Driver: C:\Users\miko\AppData\Local\Temp\agrdrpow.sys ---- Kernel code sections - GMER 2.1 ---- PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff8800121c4a0 12 bytes {MOV RAX, 0xfffffa80049da2a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88004464d8c 12 bytes {MOV RAX, 0xfffffa8006fbe2a0; JMP RAX} .text C:\Windows\System32\win32k.sys!EngSetLastError + 612 fffff960000e4e24 8 bytes [78, 3C, E3, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000114100 7 bytes [C0, 92, F3, FF, 01, 9C, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 9 fffff96000114109 2 bytes [06, 02] .text ... * 108 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 392 fffff960001d2d0c 6 bytes {JMP QWORD [RIP-0x453a]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 000000014a600460 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 000000014a600450 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 000000014a600370 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 000000014a600470 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 000000014a6003e0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 000000014a600320 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 000000014a6003b0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 000000014a600390 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 000000014a6002e0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 000000014a6002d0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 000000014a600310 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 000000014a6003c0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 000000014a6003f0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 000000014a600230 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 000000014a600480 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 000000014a6003a0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 000000014a6002f0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 000000014a600350 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 000000014a600290 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 000000014a6002b0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 000000014a6003d0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 000000014a600330 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 000000014a600410 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 000000014a600240 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 000000014a6001e0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 000000014a600250 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 000000014a600490 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 000000014a6004a0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 000000014a600300 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 000000014a600360 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 000000014a6002a0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 000000014a6002c0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 000000014a600380 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 000000014a600340 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 000000014a600440 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 000000014a600260 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 000000014a600270 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 000000014a600400 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 000000014a6001f0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 000000014a600210 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 000000014a600200 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 000000014a600420 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 000000014a600430 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 000000014a600220 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 000000014a600280 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 000000014a600460 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 000000014a600450 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 000000014a600370 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 000000014a600470 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 000000014a6003e0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 000000014a600320 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 000000014a6003b0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 000000014a600390 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 000000014a6002e0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 000000014a6002d0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 000000014a600310 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 000000014a6003c0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 000000014a6003f0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 000000014a600230 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 000000014a600480 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 000000014a6003a0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 000000014a6002f0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 000000014a600350 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 000000014a600290 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 000000014a6002b0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 000000014a6003d0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 000000014a600330 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 000000014a600410 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 000000014a600240 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 000000014a6001e0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 000000014a600250 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 000000014a600490 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 000000014a6004a0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 000000014a600300 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 000000014a600360 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 000000014a6002a0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 000000014a6002c0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 000000014a600380 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 000000014a600340 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 000000014a600440 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 000000014a600260 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 000000014a600270 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 000000014a600400 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 000000014a6001f0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 000000014a600210 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 000000014a600200 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 000000014a600420 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 000000014a600430 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 000000014a600220 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 000000014a600280 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\system32\services.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\system32\winlogon.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\PROGRAMY\administracyjne\Emsisoft Anti-Malware\a2service.exe[924] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\System32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\System32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000751a1a22 2 bytes [1A, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000751a1ad0 2 bytes [1A, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000751a1b08 2 bytes [1A, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000751a1bba 2 bytes [1A, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000751a1bda 2 bytes [1A, 75] .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000778afac0 5 bytes JMP 0000000100030600 .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000778afb58 5 bytes JMP 0000000100030804 .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778afcb0 5 bytes JMP 0000000100030c0c .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000778b0038 5 bytes JMP 0000000100030a08 .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778b1920 5 bytes JMP 0000000100030e10 .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000778cc4dd 5 bytes JMP 00000001000301f8 .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778d1287 5 bytes JMP 00000001000303fc .text C:\PROGRAMY\administracyjne\Spybot - Search & Destroy\SDWinSec.exe[2212] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000778afac0 5 bytes JMP 0000000100030600 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000778afb58 5 bytes JMP 0000000100030804 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778afcb0 5 bytes JMP 0000000100030c0c .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000778b0038 5 bytes JMP 0000000100030a08 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778b1920 5 bytes JMP 0000000100030e10 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000778cc4dd 5 bytes JMP 00000001000301f8 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778d1287 5 bytes JMP 00000001000303fc .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076f65181 5 bytes JMP 0000000100231014 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076f65254 5 bytes JMP 0000000100230804 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076f653d5 5 bytes JMP 0000000100230a08 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076f654c2 5 bytes JMP 0000000100230c0c .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076f655e2 5 bytes JMP 0000000100230e10 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076f6567c 5 bytes JMP 00000001002301f8 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076f6589f 5 bytes JMP 00000001002303fc .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076f65a22 5 bytes JMP 0000000100230600 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075ccee09 5 bytes JMP 00000001002401f8 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075cd3982 5 bytes JMP 00000001002403fc .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075cd7603 5 bytes JMP 0000000100240804 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075cd835c 5 bytes JMP 0000000100240600 .text C:\PROGRAMY\administracyjne\Ditto\Ditto.exe[3396] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075cef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776d3b10 5 bytes JMP 000000010045075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000776d7ac0 5 bytes JMP 00000001004503a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077701430 5 bytes JMP 0000000100450b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077701490 5 bytes JMP 0000000100450ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 000000010045163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777017b0 5 bytes JMP 0000000100451284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 00000001004519f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3724] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000778afac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000778afb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778afcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000778b0038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778b1920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000778cc4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778d1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[3952] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\PROGRAMY\internet\avast\AvastUI.exe[3388] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\Windows\System32\wscript.exe[4756] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefeca6e00 5 bytes JMP 000007ff7ecc1dac .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefeca6f2c 5 bytes JMP 000007ff7ecc0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefeca7220 5 bytes JMP 000007ff7ecc1284 .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefeca739c 5 bytes JMP 000007ff7ecc163c .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefeca7538 5 bytes JMP 000007ff7ecc19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefeca75e8 5 bytes JMP 000007ff7ecc03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefeca790c 5 bytes JMP 000007ff7ecc075c .text C:\Windows\system32\wbem\wmiprvse.exe[4180] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefeca7ab4 5 bytes JMP 000007ff7ecc0b14 .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000778afac0 5 bytes JMP 0000000100030600 .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000778afb58 5 bytes JMP 0000000100030804 .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778afcb0 5 bytes JMP 0000000100030c0c .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000778b0038 5 bytes JMP 0000000100030a08 .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778b1920 5 bytes JMP 0000000100030e10 .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000778cc4dd 5 bytes JMP 00000001000301f8 .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778d1287 5 bytes JMP 00000001000303fc .text C:\Users\miko\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[2828] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000100070460 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000100070450 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000100070370 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000100070470 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000001000703e0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000100070320 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000001000703b0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000100070390 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000001000702d0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000100070310 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000001000703c0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000100070230 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000100070480 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000001000703a0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000001000702f0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000100070350 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000100070290 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000001000702b0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000001000703d0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000100070330 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000100070410 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000100070240 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000100070250 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000100070490 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000100070300 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000100070360 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000001000702a0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000001000702c0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000100070380 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000100070340 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000100070440 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000100070260 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000100070270 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000100070400 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000100070210 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000100070200 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000100070420 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000100070430 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000100070220 .text C:\Windows\explorer.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000100070280 .text C:\Windows\explorer.exe[2664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077701360 5 bytes JMP 0000000077860460 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777013b0 5 bytes JMP 0000000077860450 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077701510 5 bytes JMP 0000000077860370 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077701560 5 bytes JMP 0000000077860470 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077701570 5 bytes JMP 00000000778603e0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077701620 5 bytes JMP 0000000077860320 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077701650 5 bytes JMP 00000000778603b0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077701670 5 bytes JMP 0000000077860390 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777016b0 5 bytes JMP 00000000778602e0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077701730 5 bytes JMP 00000000778602d0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077701750 5 bytes JMP 0000000077860310 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077701790 5 bytes JMP 00000000778603c0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777017e0 5 bytes JMP 00000000778603f0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077701940 5 bytes JMP 0000000077860230 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077701b00 5 bytes JMP 0000000077860480 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077701b30 5 bytes JMP 00000000778603a0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077701c10 5 bytes JMP 00000000778602f0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077701c20 5 bytes JMP 0000000077860350 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077701c80 5 bytes JMP 0000000077860290 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077701d10 5 bytes JMP 00000000778602b0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077701d30 5 bytes JMP 00000000778603d0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077701d40 5 bytes JMP 0000000077860330 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077701db0 5 bytes JMP 0000000077860410 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077701de0 5 bytes JMP 0000000077860240 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777020a0 5 bytes JMP 00000000778601e0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077702160 5 bytes JMP 0000000077860250 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077702190 5 bytes JMP 0000000077860490 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777021a0 5 bytes JMP 00000000778604a0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777021d0 5 bytes JMP 0000000077860300 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777021e0 5 bytes JMP 0000000077860360 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077702240 5 bytes JMP 00000000778602a0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077702290 5 bytes JMP 00000000778602c0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777022c0 5 bytes JMP 0000000077860380 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777022d0 5 bytes JMP 0000000077860340 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777025c0 5 bytes JMP 0000000077860440 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777027c0 5 bytes JMP 0000000077860260 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777027d0 5 bytes JMP 0000000077860270 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777027e0 5 bytes JMP 0000000077860400 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777029a0 5 bytes JMP 00000000778601f0 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777029b0 5 bytes JMP 0000000077860210 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077702a20 5 bytes JMP 0000000077860200 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077702a80 5 bytes JMP 0000000077860420 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077702a90 5 bytes JMP 0000000077860430 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077702aa0 5 bytes JMP 0000000077860220 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077702b80 5 bytes JMP 0000000077860280 .text C:\Windows\system32\AUDIODG.EXE[3124] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000774eeecd 1 byte [62] .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000778afac0 5 bytes JMP 0000000100030600 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000778afb58 5 bytes JMP 0000000100030804 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778afcb0 5 bytes JMP 0000000100030c0c .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000778b0038 5 bytes JMP 0000000100030a08 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778b1920 5 bytes JMP 0000000100030e10 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000778cc4dd 5 bytes JMP 00000001000301f8 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778d1287 5 bytes JMP 00000001000303fc .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075ccee09 5 bytes JMP 00000001002501f8 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075cd3982 5 bytes JMP 00000001002503fc .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075cd7603 5 bytes JMP 0000000100250804 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075cd835c 5 bytes JMP 0000000100250600 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000075cef52b 5 bytes JMP 0000000100250a08 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076f65181 5 bytes JMP 0000000100261014 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076f65254 5 bytes JMP 0000000100260804 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076f653d5 5 bytes JMP 0000000100260a08 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076f654c2 5 bytes JMP 0000000100260c0c .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076f655e2 5 bytes JMP 0000000100260e10 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076f6567c 5 bytes JMP 00000001002601f8 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076f6589f 5 bytes JMP 00000001002603fc .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076f65a22 5 bytes JMP 0000000100260600 .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075ca1465 2 bytes [CA, 75] .text C:\Users\miko\Downloads\OTL.exe[3444] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000075ca14bb 2 bytes [CA, 75] .text ... * 2 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000778afac0 5 bytes JMP 0000000100030600 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000778afb58 5 bytes JMP 0000000100030804 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778afcb0 5 bytes JMP 0000000100030c0c .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000778b0038 5 bytes JMP 0000000100030a08 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778b1920 5 bytes JMP 0000000100030e10 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000778cc4dd 5 bytes JMP 00000001000301f8 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778d1287 5 bytes JMP 00000001000303fc .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bca2ba 1 byte [62] .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076f65181 5 bytes JMP 0000000100241014 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076f65254 5 bytes JMP 0000000100240804 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076f653d5 5 bytes JMP 0000000100240a08 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076f654c2 5 bytes JMP 0000000100240c0c .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076f655e2 5 bytes JMP 0000000100240e10 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076f6567c 5 bytes JMP 00000001002401f8 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076f6589f 5 bytes JMP 00000001002403fc .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076f65a22 5 bytes JMP 0000000100240600 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075ccee09 5 bytes JMP 00000001002501f8 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075cd3982 5 bytes JMP 00000001002503fc .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075cd7603 5 bytes JMP 0000000100250804 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075cd835c 5 bytes JMP 0000000100250600 .text C:\Users\miko\Desktop\gm\m57g1hli.exe[4828] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075cef52b 5 bytes JMP 0000000100250a08 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001065650] \SystemRoot\System32\Drivers\spyq.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010655dc] \SystemRoot\System32\Drivers\spyq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800103035c] \SystemRoot\System32\Drivers\spyq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001030224] \SystemRoot\System32\Drivers\spyq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001030a24] \SystemRoot\System32\Drivers\spyq.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001030ba0] \SystemRoot\System32\Drivers\spyq.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80049e42c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80049e42c0 Device \Driver\ac9a4t50 \Device\Scsi\ac9a4t501Port2Path0Target1Lun0 fffffa80072032c0 Device \Driver\ac9a4t50 \Device\Scsi\ac9a4t501 fffffa80072032c0 Device \Driver\ac9a4t50 \Device\Scsi\ac9a4t501Port2Path0Target0Lun0 fffffa80072032c0 Device \FileSystem\Ntfs \Ntfs fffffa80049ea2c0 Device \FileSystem\fastfat \Fat fffffa800d03c2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80071812c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80071812c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80071812c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{ADC35ADB-C265-4000-948A-F872547F9A57} fffffa800692f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80068102c0 Device \Driver\cdrom \Device\CdRom1 fffffa80068102c0 Device \Driver\cdrom \Device\CdRom2 fffffa80068102c0 Device \Driver\USBSTOR \Device\000000b0 fffffa800d02c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{41C02D8D-67C4-4774-AF38-5D1457211ECF} fffffa800692f2c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa80071972c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80071812c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80071972c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80071812c0 Device \Driver\volmgr \Device\HarddiskVolume14 fffffa80049de2c0 Device \Driver\USBSTOR \Device\000000af fffffa800d02c2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80071812c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80071812c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80071812c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80049de2c0 Device \Driver\volmgr \Device\FtControl fffffa80049de2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80049de2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80049de2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80049de2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80049de2c0 Device \Driver\volmgr \Device\HarddiskVolume5 fffffa80049de2c0 Device \Driver\volmgr \Device\HarddiskVolume6 fffffa80049de2c0 Device \Driver\volmgr \Device\HarddiskVolume7 fffffa80049de2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800692f2c0 Device \Driver\volmgr \Device\HarddiskVolume8 fffffa80049de2c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa80071972c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80071812c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80071972c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80071812c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80049e42c0 Device \Driver\ac9a4t50 \Device\ScsiPort2 fffffa80072032c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ac9a4t50.SYS fffff88005502000-fffff88005545000 (274432 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\lsass.exe [700:724] 000007fefd2bdf50 Thread C:\Windows\System32\svchost.exe [820:1224] 000007fefbd5f2f4 Thread C:\Windows\System32\svchost.exe [820:1244] 000007fefba56204 Thread C:\Windows\System32\svchost.exe [820:1408] 000007fefaba5428 Thread C:\Windows\System32\svchost.exe [820:2144] 000007fef6e76b8c Thread C:\Windows\System32\svchost.exe [820:1996] 000007fef6e71d88 Thread C:\Windows\System32\svchost.exe [820:3204] 000007fefee1c608 Thread C:\Windows\System32\svchost.exe [820:4980] 000007fef45c5fd0 Thread C:\Windows\System32\svchost.exe [1056:1364] 000007fefacf331c Thread C:\Windows\System32\svchost.exe [1056:1444] 000007fefa703f1c Thread C:\Windows\System32\svchost.exe [1056:1460] 000007fefa8659a0 Thread C:\Windows\System32\svchost.exe [1056:2356] 000007fef74044e0 Thread C:\Windows\System32\svchost.exe [1056:2824] 000007fef78588f8 Thread C:\Windows\System32\svchost.exe [1056:4312] 000007fefab3a2b0 Thread C:\Windows\System32\svchost.exe [1056:4308] 000007fef9d514a0 Thread C:\Windows\system32\svchost.exe [1112:3224] 000007fef6740ea8 Thread C:\Windows\system32\svchost.exe [1112:3228] 000007fef6739db0 Thread C:\Windows\system32\svchost.exe [1112:3248] 000007fef6741c94 Thread C:\Windows\system32\svchost.exe [1112:4804] 000007fefc176ed4 Thread C:\Windows\system32\svchost.exe [1112:5096] 000007fefc176b8c Thread C:\Windows\system32\svchost.exe [1112:4440] 000007fef673aa10 Thread C:\Windows\system32\svchost.exe [1112:4100] 000007fef459d3c8 Thread C:\Windows\system32\svchost.exe [1112:4668] 000007fef459d3c8 Thread C:\Windows\system32\svchost.exe [1112:2400] 000007fef459d3c8 Thread C:\Windows\system32\svchost.exe [1112:4116] 000007fef459d3c8 Thread C:\Windows\system32\svchost.exe [1148:4396] 000007fefb8b1ab0 Thread C:\Windows\system32\svchost.exe [1148:4780] 000007fefc234164 Thread C:\Windows\system32\svchost.exe [1260:1440] 000007fefae88274 Thread C:\Windows\system32\svchost.exe [1260:1832] 000007fefae88274 Thread C:\Windows\system32\svchost.exe [1388:2660] 000007fef789bd88 Thread C:\Windows\system32\svchost.exe [1388:692] 000007fef76d5124 Thread C:\Windows\system32\svchost.exe [1388:3840] 000007fef3ea5170 Thread C:\Windows\system32\svchost.exe [1388:3584] 000007fefc2a341c Thread C:\Windows\system32\svchost.exe [1388:1096] 000007fefc2a3a2c Thread C:\Windows\system32\svchost.exe [1388:1476] 000007fefc2a3768 Thread C:\Windows\system32\svchost.exe [1388:3716] 000007fefc2a5c20 Thread C:\Windows\system32\svchost.exe [1388:4372] 000007fefc2a3900 Thread C:\Windows\system32\svchost.exe [1388:4268] 000007fef7b45240 Thread C:\Windows\System32\spoolsv.exe [1300:3936] 000007fef2ab10c8 Thread C:\Windows\System32\spoolsv.exe [1300:3944] 000007fef2a76144 Thread C:\Windows\System32\spoolsv.exe [1300:3924] 000007fef45c5fd0 Thread C:\Windows\System32\spoolsv.exe [1300:3340] 000007fef2a53438 Thread C:\Windows\System32\spoolsv.exe [1300:3916] 000007fef45c63ec Thread C:\Windows\System32\spoolsv.exe [1300:3968] 000007fef4105e5c Thread C:\Windows\System32\spoolsv.exe [1300:3888] 000007fef2bf5074 Thread C:\Windows\system32\svchost.exe [2776:2792] 000007fefecaa808 Thread C:\Windows\system32\svchost.exe [2776:2836] 000007fef7617130 Thread C:\Windows\system32\svchost.exe [2776:2840] 000007fef760d5c0 Thread C:\Windows\system32\svchost.exe [3012:1168] 000007fefb7f8470 Thread C:\Windows\system32\svchost.exe [3012:1200] 000007fefb802418 Thread C:\Windows\system32\svchost.exe [3012:4036] 000007fef45c5fd0 Thread C:\Windows\system32\svchost.exe [3012:4040] 000007fef45c63ec Thread C:\Windows\system32\svchost.exe [3012:3900] 000007fef304f130 Thread C:\Windows\system32\svchost.exe [3012:2672] 000007fef3044734 Thread C:\Windows\system32\svchost.exe [3012:1684] 000007fef3044734 Thread C:\Windows\system32\svchost.exe [3088:3132] 000007fefecaa808 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3724:3980] 000007feff530168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3724:4012] 000007fefbb12a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3724:4024] 000007fef30ed618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3724:3604] 000007fef76d5124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3724:2592] 000007fef3089730 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3724:3552] 000007fef30ed618 Thread C:\Windows\System32\svchost.exe [1816:3704] 000007fef1bd9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 188 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 3839813 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\PROGRAMY\internet\avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\Alwil Software\Avast5 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\PROGRAMY\internet\avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\Alwil Software\Avast5 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\PROGRAMY\internet\avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fc6e05b6c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fc6e05b6c@8c71f8862936 0xD7 0x06 0xC5 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\PROGRAMY\gry\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x65 0x68 0x33 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE9 0x79 0x63 0xB9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7E 0x0B 0x5A 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8A 0x50 0xAD 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x6F 0xE9 0xF9 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\PROGRAMY\gry\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0xE3 0xC2 0x44 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE8 0xCC 0x64 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5C 0x56 0x42 0x40 ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 188 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 3839813 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\PROGRAMY\internet\avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\Alwil Software\Avast5 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\PROGRAMY\internet\avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\Alwil Software\Avast5 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\PROGRAMY\internet\avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fc6e05b6c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fc6e05b6c@8c71f8862936 0xD7 0x06 0xC5 0x20 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\PROGRAMY\gry\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x65 0x68 0x33 0x46 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE9 0x79 0x63 0xB9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7E 0x0B 0x5A 0x09 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8A 0x50 0xAD 0x27 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x6F 0xE9 0xF9 0x7F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\PROGRAMY\gry\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0xE3 0xC2 0x44 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE8 0xCC 0x64 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5C 0x56 0x42 0x40 ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@FirstLevelConsentDialog 0x80 0x06 0x0D 0x00 ... ---- EOF - GMER 2.1 ----