GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-06 23:18:18 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-0 ST9250320AS rev.0303 232,89GB Running: 2p2sd456.exe; Driver: C:\Users\Tommy\AppData\Local\Temp\axldapog.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x90F564BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91744C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x90F56ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x90F61FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90F61FF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x90F62176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90F61F16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x91744FA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x90F61F5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x90F5711C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x90F62130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x90F5793E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x90F56508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91744CEA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x917433EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x90F56556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90F5B534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x90F583A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x90F61FD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90F62016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x90F6219A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90F61F3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x90F620BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x90F61F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90F62154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91744E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x90F58272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x90F57DD4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x90F565A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x90F565F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x90F577BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x90F561FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x90F563AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x90F56350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x90F57AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x90F57C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x90F5641A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x91744EFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x90F57636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x9174341C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x90F56640] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x91744D96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x90F572F4] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9175DE56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 838FD758 4 Bytes [BA, 64, F5, 90] .text ntkrnlpa.exe!KeSetEvent + 131 838FD77C 4 Bytes [22, 4C, 74, 91] {AND CL, [ESP+ESI*2-0x6f]} .text ntkrnlpa.exe!KeSetEvent + 191 838FD7DC 4 Bytes [D6, 6E, F5, 90] {SALC ; OUTS DX, BYTE [ESI]; CMC ; NOP } .text ntkrnlpa.exe!KeSetEvent + 1D1 838FD81C 8 Bytes [A8, 1F, F6, 90, F4, 1F, F6, ...] {TEST AL, 0x1f; NOT BYTE [EAX-0x6f09e00c]} .text ntkrnlpa.exe!KeSetEvent + 1DD 838FD828 4 Bytes [76, 21, F6, 90] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83A28669 5 Bytes JMP 9175ACF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 83A816F3 5 Bytes JMP 9175C810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 83A8B00F 4 Bytes CALL 90F58A8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 83A8EC83 4 Bytes CALL 90F58AA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 83AE3058 7 Bytes JMP 9175DE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FE07000, 0x1F875A, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Windows\System32\spoolsv.exe[192] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[328] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[584] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[612] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\wininit.exe[668] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text ... .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\Program Files\ATK Hotkey\KBFiltr.exe[1356] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\Program Files\Wireless Console 2\wcourier.exe[1400] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1420] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\Program Files\ATK Hotkey\ATKOSD.exe[1492] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\fsproflt.exe[1560] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Common Files\DVDVideoSoft\lib\app_updater.exe[1604] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[1608] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[1664] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001501F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001503FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00160600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00160804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00160A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1676] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1784] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[1796] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1820] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1836] kernel32.dll!SetUnhandledExceptionFilter 7724A9BD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1836] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\WLANExt.exe[1848] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001703FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00170600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00171014 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00170804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00170A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00170C0C .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00170E10 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001701F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00180600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00180804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00180A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1912] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001803FC .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001703FC .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00170600 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00171014 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00170804 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00170A08 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00170C0C .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00170E10 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001701F8 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00180600 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00180804 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00180A08 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001801F8 .text C:\Program Files\ATK Hotkey\Hcontrol.exe[2680] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001803FC .text C:\Windows\system32\svchost.exe[2684] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2692] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Sitecom\Common\RegistryWriter.exe[2708] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe[2736] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[2772] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\Program Files\ATKOSD2\ATKOSD2.exe[2844] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Windows\System32\svchost.exe[2884] kernel32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\notepad.exe[3012] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\notepad.exe[3012] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\system32\notepad.exe[3012] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\notepad.exe[3012] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\notepad.exe[3012] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\system32\notepad.exe[3012] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\system32\notepad.exe[3012] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\notepad.exe[3012] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\notepad.exe[3012] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\System32\WUDFHost.exe[3152] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\System32\WUDFHost.exe[3152] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\System32\WUDFHost.exe[3152] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\WUDFHost.exe[3152] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\WUDFHost.exe[3152] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\System32\WUDFHost.exe[3152] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\System32\WUDFHost.exe[3152] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\System32\WUDFHost.exe[3152] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\System32\WUDFHost.exe[3152] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\notepad.exe[3320] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\notepad.exe[3320] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\system32\notepad.exe[3320] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\notepad.exe[3320] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\notepad.exe[3320] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\system32\notepad.exe[3320] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\system32\notepad.exe[3320] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\notepad.exe[3320] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\notepad.exe[3320] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[3428] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3428] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3428] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[3428] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[3428] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[3428] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[3428] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[3428] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[3428] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001703FC .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00170600 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00171014 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00170804 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00170A08 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00170C0C .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00170E10 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001701F8 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00180600 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00180804 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00180A08 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001801F8 .text C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe[3452] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001803FC .text C:\Windows\system32\Dwm.exe[3512] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[3512] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[3512] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\Dwm.exe[3512] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\Dwm.exe[3512] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\system32\Dwm.exe[3512] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\system32\Dwm.exe[3512] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\Dwm.exe[3512] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\Dwm.exe[3512] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[3556] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[3556] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[3556] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[3556] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[3556] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[3556] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[3556] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[3556] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[3556] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\Explorer.EXE[3588] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[3588] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[3588] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\Explorer.EXE[3588] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\Explorer.EXE[3588] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\Explorer.EXE[3588] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\Explorer.EXE[3588] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\Explorer.EXE[3588] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\Explorer.EXE[3588] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\ehome\ehtray.exe[3656] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\ehome\ehtray.exe[3656] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\ehome\ehtray.exe[3656] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\ehome\ehtray.exe[3656] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\ehome\ehtray.exe[3656] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00090600 .text C:\Windows\ehome\ehtray.exe[3656] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00090804 .text C:\Windows\ehome\ehtray.exe[3656] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00090A08 .text C:\Windows\ehome\ehtray.exe[3656] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000901F8 .text C:\Windows\ehome\ehtray.exe[3656] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000903FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001501F8 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001503FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00160600 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00160804 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00160A08 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001601F8 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001603FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001703FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00170600 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00171014 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00170804 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00170A08 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00170C0C .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00170E10 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3724] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001701F8 .text C:\Windows\System32\alg.exe[3844] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\System32\alg.exe[3844] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\System32\alg.exe[3844] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\alg.exe[3844] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\alg.exe[3844] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00080600 .text C:\Windows\System32\alg.exe[3844] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00080804 .text C:\Windows\System32\alg.exe[3844] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00080A08 .text C:\Windows\System32\alg.exe[3844] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000801F8 .text C:\Windows\System32\alg.exe[3844] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000803FC .text C:\Windows\ASScrPro.exe[3964] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001501F8 .text C:\Windows\ASScrPro.exe[3964] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001503FC .text C:\Windows\ASScrPro.exe[3964] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\ASScrPro.exe[3964] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00160600 .text C:\Windows\ASScrPro.exe[3964] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00160804 .text C:\Windows\ASScrPro.exe[3964] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00160A08 .text C:\Windows\ASScrPro.exe[3964] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001601F8 .text C:\Windows\ASScrPro.exe[3964] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001603FC .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001703FC .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00170600 .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00171014 .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00170804 .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00170A08 .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00170C0C .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00170E10 .text C:\Windows\ASScrPro.exe[3964] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001701F8 .text C:\Program Files\P4G\BatteryLife.exe[3988] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\P4G\BatteryLife.exe[3988] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\P4G\BatteryLife.exe[3988] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\P4G\BatteryLife.exe[3988] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\Program Files\P4G\BatteryLife.exe[3988] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\Program Files\P4G\BatteryLife.exe[3988] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\Program Files\P4G\BatteryLife.exe[3988] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\Program Files\P4G\BatteryLife.exe[3988] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\Program Files\P4G\BatteryLife.exe[3988] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\taskeng.exe[4044] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[4044] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[4044] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[4044] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[4044] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 000C0600 .text C:\Windows\system32\taskeng.exe[4044] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\taskeng.exe[4044] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\taskeng.exe[4044] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\taskeng.exe[4044] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000C03FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 002803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00280600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00281014 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00280804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00280A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00280C0C .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00280E10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4268] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 002801F8 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] user32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00170600 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] user32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00170804 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] user32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00170A08 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] user32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001701F8 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] user32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001703FC .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001803FC .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00180600 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00181014 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00180804 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00180A08 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00180C0C .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00180E10 .text C:\WindowsMediaCenter\totalcmd\TOTALCMD.EXE[5376] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\conime.exe[5612] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 000501F8 .text C:\Windows\system32\conime.exe[5612] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 000503FC .text C:\Windows\system32\conime.exe[5612] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 000603FC .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00060600 .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00061014 .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00060804 .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00060A08 .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00060C0C .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00060E10 .text C:\Windows\system32\conime.exe[5612] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 000601F8 .text C:\Windows\system32\conime.exe[5612] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00070600 .text C:\Windows\system32\conime.exe[5612] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00070804 .text C:\Windows\system32\conime.exe[5612] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00070A08 .text C:\Windows\system32\conime.exe[5612] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 000701F8 .text C:\Windows\system32\conime.exe[5612] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 000703FC .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ntdll.dll!LdrLoadDll 775C9378 5 Bytes JMP 001601F8 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ntdll.dll!LdrUnloadDll 775DB680 5 Bytes JMP 001603FC .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] KERNEL32.dll!GetBinaryTypeW + 70 7727252F 1 Byte [62] .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!CreateServiceW 77519EB4 5 Bytes JMP 001703FC .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!DeleteService 7751A07E 5 Bytes JMP 00170600 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!SetServiceObjectSecurity 77556CD9 5 Bytes JMP 00171014 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!ChangeServiceConfigA 77556DD9 5 Bytes JMP 00170804 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!ChangeServiceConfigW 77556F81 5 Bytes JMP 00170A08 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!ChangeServiceConfig2A 77557099 5 Bytes JMP 00170C0C .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!ChangeServiceConfig2W 775571E1 5 Bytes JMP 00170E10 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] ADVAPI32.dll!CreateServiceA 775572A1 5 Bytes JMP 001701F8 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] USER32.dll!SetWindowsHookExA 77766322 5 Bytes JMP 00180600 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] USER32.dll!SetWindowsHookExW 777687AD 5 Bytes JMP 00180804 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] USER32.dll!UnhookWindowsHookEx 777698DB 5 Bytes JMP 00180A08 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] USER32.dll!SetWinEventHook 77769F3A 5 Bytes JMP 001801F8 .text C:\Users\Tommy\Downloads\2p2sd456.exe[5948] USER32.dll!UnhookWinEvent 7776C06F 5 Bytes JMP 001803FC ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\services.exe[712] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00090002 IAT C:\Windows\system32\services.exe[712] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00090000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1836] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73D9F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73D9F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74457817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7449B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7445BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7444F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7444E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744873F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7445DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7444FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7444FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [744DCB12] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7447C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7444D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74446853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7444687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74452AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Runtime framework driver modalità kernel/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Runtime framework driver modalità kernel/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbohci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\0000006e hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\0000006f hcmon.sys (VMware USB monitor/VMware, Inc.) Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Gestione filtri file system Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider) ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG17.00.00.01PROFESSIONAL F0A17EDAE3DAC06DD7DD70A8C5168846601EE8BD219B2C6C2D21BDDA4EE31B83FC1DEF9747655DB39DEC207BB7C9F30BABD0D1B66832800322BBFE60F690C77FBC31FDCCDD10F872A5B3B7EC51044C0277C629C1E27770C510F73862F83EC58BAE82D9069B1A6B39617785B18D7899324C85F95F2E30D25534BED14A39DE5A03E3F967384B4B86BA58430AE6395DD8C7C4D902F3BEA3EE76DEBBE664EFEDB86284C5BEB8866C8BCEA7E5FA8BF5EC791213D1B347591D0312765FC564A8668C4C4957AD423FCAB16E7D6F4104BA65DF857A41B6851BEC3FB672DCF25EC2C8F2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D14079DB7CE019D40AA5C8EDD5E5BE2F6E6675D575E7D6A3B9808781F17AFDEB7B71E6B327B02DB05321070157261FADB4845F280DE9412C2DB5B6627F206582C4BF6FE913E9B6573947F77B84AD9C7A2F329F1764DD3A80D1CD4DD49E079F5B77FB976E05B232F8DA162C881A3F7316F037CD1B3A4289A0613EFA8C2CE693E6D3B4FB511A0D0282DF011813748F42B80DE230C7153E3066E1A3DB863696719B46A14C7281D16A0FB9ED5E4344C3D90E4F473B9008A92F0DC8FBF9F10A3B952487CD9D83F26954FFACC6CD6650470A102B7B81AC2C2F0413AD66F97BF36DA9A36E5E5B98352274C7D1E096 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\_avt 512 bytes File C:\ADSM_PData_0150\DragWait.exe 253952 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes ---- EOF - GMER 2.2 ----