Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Win32.BackBoot.gen


  • This topic is locked This topic is locked
2 replies to this topic

#1 thewoodman22

thewoodman22

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 07 July 2011 - 06:16 AM

moved to this topic as req by - mod - boopme

earlier thread is at

http://www.bleepingcomputer.com/forums/topic407830.html/page__pid__2323340#entry2323340


TDSSKiller found a Rootkit.Win32.BackBoot.gen after scan
and mbr.exe found nothing

so was asked to follow steps 6-9 in prep guide
and create new post here

heres DDS log
and Gmer log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.6000.16575
Run by jase at 11:12:31 on 2011-07-07
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1791.1087 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\google\google_bae\BAE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [toolbar_eula_launcher] c:\program files\packard bell\google_eula\EULALauncher.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{7040457E-F2B3-4399-853B-7218573323BA} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jase\appdata\roaming\mozilla\firefox\profiles\u3kxu4zo.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-5 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-5 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-5 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-7-5 54104]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-5 42184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-5 135664]
.
=============== Created Last 30 ================
.
2011-07-07 09:00:18 -------- d-----w- c:\program files\MSXML 4.0
2011-07-06 19:34:57 89088 ----a-w- C:\mbr.exe
2011-07-06 11:15:31 1411888 ----a-w- C:\TDSSKiller.exe
2011-07-06 10:52:49 2565432 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-07-06 10:52:36 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{af32a73b-ea0d-40da-870b-ffadc82cb31f}\mpengine.dll
2011-07-06 10:52:35 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-05 23:38:24 -------- d-----we C:\Documents and Settings
2011-07-05 18:06:48 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-05 18:06:48 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-05 18:06:34 40112 ----a-w- c:\windows\avastSS.scr
2011-07-05 18:06:18 -------- d-----w- c:\programdata\AVAST Software
2011-07-05 18:06:18 -------- d-----w- c:\program files\AVAST Software
2011-07-05 15:24:40 -------- d-----w- c:\users\jase\appdata\roaming\Malwarebytes
2011-07-05 15:24:33 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 15:24:32 -------- d-----w- c:\programdata\Malwarebytes
2011-07-05 15:24:28 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 15:24:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-05 14:57:41 -------- d-----w- c:\users\jase\appdata\local\ApplicationHistory
2011-07-05 14:57:15 171520 ----a-w- c:\windows\system32\wintrust.dll
2011-07-05 14:57:09 97792 ----a-w- c:\windows\system32\cabview.dll
2011-07-05 14:56:46 -------- d-----w- c:\users\jase\appdata\roaming\Packard Bell
2011-07-05 14:47:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-07-05 14:47:27 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-07-05 14:47:03 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-07-05 14:47:02 33792 ----a-w- c:\windows\system32\wuapp.exe
.
==================== Find3M ====================
.
.
============= FINISH: 11:21:11.85 ===============


Gmer report



GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-07 12:01:26
Windows 6.0.6000 Harddisk0\DR0 -> \Device\0000004c ST325031 rev.3.AA
Running: gmer.exe; Driver: C:\Users\jase\AppData\Local\Temp\kxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B2AE202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8B81BD8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B2B07F0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B2B0848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B2B095E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B2B0746]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B2B0898]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B2B079A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B2B090C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B2AE226]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0x8B82360C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8B81BE3C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B2ADFF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B2AE24A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B2B0D56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B2AECDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B2B0820]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B2B0870]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B2B0988]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B2B0772]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0x8B823548]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B2B08D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B2B07C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0x8B8235AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B2B0936]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8B81BED4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B2AEBA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B2AE26E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B2AE292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B2AE04A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B2AE186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B2AE162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B2AE1AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B2AE2B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8B831398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC 81C807B8 4 Bytes CALL ACAA0A3E
.text ntkrnlpa.exe!ZwCallbackReturn + 2F0 81C807DC 4 Bytes [8C, BD, 81, 8B]
.text ntkrnlpa.exe!ZwCallbackReturn + 488 81C80974 4 Bytes CALL ACAA2FFA
.text ntkrnlpa.exe!ZwCallbackReturn + 65C 81C80B48 4 Bytes JMP ACB3ABCE
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 81DBE7BB 4 Bytes CALL 8B2AF34B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 81DC6216 4 Bytes CALL 8B2AF361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81DF1887 5 Bytes JMP 8B82CD4C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 81DF73BE 5 Bytes JMP 8B82E7F2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81E1242D 7 Bytes JMP 8B83139C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text kdcom.dll!KdSendPacket 802CD047 28 Bytes [66, 39, 45, FC, 75, 05, 83, ...]
.text kdcom.dll!KdSendPacket 802CD064 7 Bytes [55, 8B, EC, 81, EC, 6C, 01]
.text kdcom.dll!KdSendPacket 802CD06C 1 Byte [00]
.text kdcom.dll!KdSendPacket 802CD06C 33 Bytes [00, 53, 57, 33, C0, 33, DB, ...]
.text kdcom.dll!KdSendPacket 802CD08E 61 Bytes [83, C4, 0C, 66, 39, 07, 74, ...]
.text kdcom.dll!KdDebuggerInitialize0 + 30 802CD0CC 208 Bytes [71, 1C, 8D, 14, 96, 8B, 34, ...]
.text kdcom.dll!KdRestore + 31 802CD19D 19 Bytes [8D, 45, FC, 50, FF, 75, 0C, ...]
.text kdcom.dll!KdRestore + 45 802CD1B1 98 Bytes [FF, 8B, F0, 8B, C6, E9, DB, ...]
.text kdcom.dll!KdRestore + A8 802CD214 150 Bytes [6A, 64, 8D, 45, 98, 6A, 00, ...]
.text kdcom.dll!KdRestore + 13F 802CD2AB 7 Bytes [53, 56, 57, 8B, D8, C6, 45]
.text kdcom.dll!KdRestore + 147 802CD2B3 40 Bytes [00, 33, C0, 39, 43, 04, 75, ...]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8AAB9340, 0x35BD27, 0xE8000020]
.text win32k.sys!EngMultiByteToUnicodeN + 2B69 90020FEE 5 Bytes JMP 8B2B1440 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetRgnData + C9D 90024E64 5 Bytes JMP 8B2B1316 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 4C5 90052CC5 5 Bytes JMP 8B2B1F72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 37AB 90055FAB 5 Bytes JMP 8B2B0E58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 273D 9005E894 5 Bytes JMP 8B2B103E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + A661 900667B8 5 Bytes JMP 8B2B1BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 11643 9006D79A 5 Bytes JMP 8B2B0D8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 11884 9006D9DB 5 Bytes JMP 8B2B1180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 11957 9006DAAE 5 Bytes JMP 8B2B1326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text ...
.text win32k.sys!EngMapFontFileFD + F71B 90080C7E 5 Bytes JMP 8B2B0F34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 326E 900863C0 5 Bytes JMP 8B2B1E0C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 6983 90089AD5 5 Bytes JMP 8B2B0FA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 44C1 900ACCFF 5 Bytes JMP 8B2B0E70 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 3BE9 900D2BE5 5 Bytes JMP 8B2B2014 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bEnum + AA 900D564A 5 Bytes JMP 8B2B1D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + CE77 900E2C2C 5 Bytes JMP 8B2B1BAE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 1D0C 900E9D02 5 Bytes JMP 8B2B1CA2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFindImageProcAddress + 1A09 900F5550 5 Bytes JMP 8B2B10E8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteClip + 59DE 9010B265 5 Bytes JMP 8B2B1008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bPolyBezierTo + 62D 90113527 5 Bytes JMP 8B2B10AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 38A1 90130DB1 5 Bytes JMP 8B2B0EF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1A89 9016EBC0 5 Bytes JMP 8B2B1ECA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\Users\jase\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 001601F8
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 001603FC
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001703FC
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00170600
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00170A08
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00171014
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00170804
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00170C0C
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00170E10
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001701F8
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00180A08
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00180600
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00180804
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001803FC
.text C:\Program Files\Google\Update\GoogleUpdate.exe[472] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001801F8
.text C:\Windows\system32\csrss.exe[600] KERNEL32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\wininit.exe[652] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[652] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[652] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000503FC
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00050600
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00050A08
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00051014
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00050804
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00050C0C
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00050E10
.text C:\Windows\system32\wininit.exe[652] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000501F8
.text C:\Windows\system32\wininit.exe[652] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00060A08
.text C:\Windows\system32\wininit.exe[652] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00060600
.text C:\Windows\system32\wininit.exe[652] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00060804
.text C:\Windows\system32\wininit.exe[652] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000603FC
.text C:\Windows\system32\wininit.exe[652] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000601F8
.text C:\Windows\system32\csrss.exe[664] KERNEL32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\services.exe[696] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[696] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[696] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\services.exe[696] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\services.exe[696] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00080600
.text C:\Windows\system32\services.exe[696] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00080804
.text C:\Windows\system32\services.exe[696] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\services.exe[696] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsass.exe[708] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsass.exe[708] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\lsass.exe[708] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\lsass.exe[708] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00080600
.text C:\Windows\system32\lsass.exe[708] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00080804
.text C:\Windows\system32\lsass.exe[708] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\lsass.exe[708] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsm.exe[716] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsm.exe[716] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsm.exe[716] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsm.exe[716] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\winlogon.exe[796] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[796] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[796] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000503FC
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00050600
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00050A08
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00051014
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00050804
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00050C0C
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00050E10
.text C:\Windows\system32\winlogon.exe[796] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000501F8
.text C:\Windows\system32\winlogon.exe[796] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00060A08
.text C:\Windows\system32\winlogon.exe[796] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00060600
.text C:\Windows\system32\winlogon.exe[796] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00060804
.text C:\Windows\system32\winlogon.exe[796] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000603FC
.text C:\Windows\system32\winlogon.exe[796] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000803FC
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00080600
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00080A08
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00081014
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00080804
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00080C0C
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00080E10
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000801F8
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[992] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[992] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[992] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[992] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[992] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[992] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[992] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000B01F8
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000B03FC
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 000B0600
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 000B0A08
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 000B1014
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 000B0804
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 000B0C0C
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 000B0E10
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000B01F8
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000C0A08
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000C0600
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000C0804
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000C03FC
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000C01F8
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00190A08
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00190600
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00190804
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001903FC
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001901F8
.text C:\Windows\System32\svchost.exe[1144] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1144] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1144] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 01450A08
.text C:\Windows\System32\svchost.exe[1144] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 01450600
.text C:\Windows\System32\svchost.exe[1144] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 01450804
.text C:\Windows\System32\svchost.exe[1144] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 014503FC
.text C:\Windows\System32\svchost.exe[1144] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 014501F8
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000B01F8
.text C:\Windows\system32\AUDIODG.EXE[1296] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1372] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000F0A08
.text C:\Windows\system32\svchost.exe[1372] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000F0600
.text C:\Windows\system32\svchost.exe[1372] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000F0804
.text C:\Windows\system32\svchost.exe[1372] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000F03FC
.text C:\Windows\system32\svchost.exe[1372] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000F01F8
.text C:\Windows\system32\svchost.exe[1488] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1488] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1488] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1488] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00930A08
.text C:\Windows\system32\svchost.exe[1488] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00930600
.text C:\Windows\system32\svchost.exe[1488] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00930804
.text C:\Windows\system32\svchost.exe[1488] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 009303FC
.text C:\Windows\system32\svchost.exe[1488] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 009301F8
.text C:\Windows\system32\svchost.exe[1544] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1544] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1544] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00130A08
.text C:\Windows\system32\svchost.exe[1544] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00130600
.text C:\Windows\system32\svchost.exe[1544] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00130804
.text C:\Windows\system32\svchost.exe[1544] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001303FC
.text C:\Windows\system32\svchost.exe[1544] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001301F8
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1592] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1592] kernel32.dll!SetUnhandledExceptionFilter 76D3D187 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\spoolsv.exe[1980] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\spoolsv.exe[1980] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000E0A08
.text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000E0600
.text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000E0804
.text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000E03FC
.text C:\Windows\System32\spoolsv.exe[1980] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000E01F8
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[2004] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[2004] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[2004] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000E0A08
.text C:\Windows\system32\svchost.exe[2004] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000E0600
.text C:\Windows\system32\svchost.exe[2004] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000E0804
.text C:\Windows\system32\svchost.exe[2004] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000E03FC
.text C:\Windows\system32\svchost.exe[2004] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000E01F8
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00160A08
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00160600
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00160804
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00171014
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00170C0C
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00170E10
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe[2108] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001701F8
.text C:\Windows\System32\svchost.exe[2232] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2232] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2232] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2232] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2272] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchIndexer.exe[2272] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchIndexer.exe[2272] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\SearchIndexer.exe[2272] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2272] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\SearchIndexer.exe[2272] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00080600
.text C:\Windows\system32\SearchIndexer.exe[2272] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00080804
.text C:\Windows\system32\SearchIndexer.exe[2272] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\SearchIndexer.exe[2272] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[2552] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[2552] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[2552] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000A03FC
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 000A0600
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 000A0A08
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 000A1014
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 000A0804
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 000A0C0C
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 000A0E10
.text C:\Windows\system32\taskeng.exe[2552] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000A01F8
.text C:\Windows\system32\taskeng.exe[2552] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000B0A08
.text C:\Windows\system32\taskeng.exe[2552] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000B0600
.text C:\Windows\system32\taskeng.exe[2552] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000B0804
.text C:\Windows\system32\taskeng.exe[2552] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000B03FC
.text C:\Windows\system32\taskeng.exe[2552] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000B01F8
.text C:\Windows\system32\wuauclt.exe[2652] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000601F8
.text C:\Windows\system32\wuauclt.exe[2652] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000603FC
.text C:\Windows\system32\wuauclt.exe[2652] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\wuauclt.exe[2652] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 000B0A08
.text C:\Windows\system32\wuauclt.exe[2652] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 000B0600
.text C:\Windows\system32\wuauclt.exe[2652] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 000B0804
.text C:\Windows\system32\wuauclt.exe[2652] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000B03FC
.text C:\Windows\system32\wuauclt.exe[2652] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000B01F8
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000D03FC
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 000D0600
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 000D0A08
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 000D1014
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 000D0804
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 000D0C0C
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 000D0E10
.text C:\Windows\system32\wuauclt.exe[2652] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000D01F8
.text C:\Windows\system32\Dwm.exe[3004] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\Dwm.exe[3004] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\Dwm.exe[3004] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\Dwm.exe[3004] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\Dwm.exe[3004] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\Dwm.exe[3004] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00080600
.text C:\Windows\system32\Dwm.exe[3004] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00080804
.text C:\Windows\system32\Dwm.exe[3004] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\Dwm.exe[3004] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[3044] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[3044] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[3044] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000A03FC
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 000A0600
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 000A0A08
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 000A1014
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 000A0804
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 000A0C0C
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 000A0E10
.text C:\Windows\system32\taskeng.exe[3044] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000A01F8
.text C:\Windows\system32\taskeng.exe[3044] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 001B0A08
.text C:\Windows\system32\taskeng.exe[3044] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 001B0600
.text C:\Windows\system32\taskeng.exe[3044] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 001B0804
.text C:\Windows\system32\taskeng.exe[3044] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001B03FC
.text C:\Windows\system32\taskeng.exe[3044] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001B01F8
.text C:\Windows\Explorer.EXE[3100] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Windows\Explorer.EXE[3100] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Windows\Explorer.EXE[3100] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001003FC
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00100600
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00100A08
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00101014
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00100804
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00100C0C
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00100E10
.text C:\Windows\Explorer.EXE[3100] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001001F8
.text C:\Windows\Explorer.EXE[3100] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00110A08
.text C:\Windows\Explorer.EXE[3100] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00110600
.text C:\Windows\Explorer.EXE[3100] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00110804
.text C:\Windows\Explorer.EXE[3100] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001103FC
.text C:\Windows\Explorer.EXE[3100] USER32.dll!SetWinEventHook 76859C6D 3 Bytes JMP 001101F8
.text C:\Windows\Explorer.EXE[3100] USER32.dll!SetWinEventHook + 4 76859C71 1 Byte [89]
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000703FC
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00070600
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00070A08
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00071014
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00070804
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00070C0C
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00070E10
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000701F8
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00080600
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00080804
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Defender\MSASCui.exe[3412] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000801F8
.text C:\Windows\RtHDVCpl.exe[3424] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 001501F8
.text C:\Windows\RtHDVCpl.exe[3424] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 001503FC
.text C:\Windows\RtHDVCpl.exe[3424] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001703FC
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00170600
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00170A08
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00171014
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00170804
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00170C0C
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00170E10
.text C:\Windows\RtHDVCpl.exe[3424] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001701F8
.text C:\Windows\RtHDVCpl.exe[3424] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00190A08
.text C:\Windows\RtHDVCpl.exe[3424] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00190600
.text C:\Windows\RtHDVCpl.exe[3424] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00190804
.text C:\Windows\RtHDVCpl.exe[3424] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001903FC
.text C:\Windows\RtHDVCpl.exe[3424] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001901F8
.text C:\Windows\System32\rundll32.exe[3480] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000601F8
.text C:\Windows\System32\rundll32.exe[3480] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000603FC
.text C:\Windows\System32\rundll32.exe[3480] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\rundll32.exe[3480] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00170A08
.text C:\Windows\System32\rundll32.exe[3480] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00170600
.text C:\Windows\System32\rundll32.exe[3480] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00170804
.text C:\Windows\System32\rundll32.exe[3480] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001703FC
.text C:\Windows\System32\rundll32.exe[3480] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001701F8
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001803FC
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00180600
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00180A08
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00181014
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00180804
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00180C0C
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00180E10
.text C:\Windows\System32\rundll32.exe[3480] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001801F8
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001803FC
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00180600
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00180A08
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00181014
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00180804
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00180C0C
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00180E10
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[3544] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001801F8
.text C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe[3552] KERNEL32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3560] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00080600
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00081014
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00080804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00080C0C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00080E10
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00090A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00090600
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00090804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000903FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3576] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000901F8
.text C:\Windows\System32\rundll32.exe[3640] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000601F8
.text C:\Windows\System32\rundll32.exe[3640] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000603FC
.text C:\Windows\System32\rundll32.exe[3640] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Windows\System32\rundll32.exe[3640] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00070A08
.text C:\Windows\System32\rundll32.exe[3640] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00070600
.text C:\Windows\System32\rundll32.exe[3640] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00070804
.text C:\Windows\System32\rundll32.exe[3640] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000703FC
.text C:\Windows\System32\rundll32.exe[3640] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000701F8
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000903FC
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00090600
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00090A08
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00091014
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00090804
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00090C0C
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00090E10
.text C:\Windows\System32\rundll32.exe[3640] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000901F8
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 001501F8
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 001503FC
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 001903FC
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00190600
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00190A08
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00191014
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00190804
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00190C0C
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00190E10
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 001901F8
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00370A08
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00370600
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00370804
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 003703FC
.text C:\Users\jase\Desktop\gmer\gmer.exe[3764] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 003701F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ntdll.dll!LdrLoadDll 7703EB00 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ntdll.dll!LdrUnloadDll 7704BF0A 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] kernel32.dll!GetBinaryTypeW + 70 76D3714D 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!CreateServiceW 76F18686 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!DeleteService 76F18788 5 Bytes JMP 00080600
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!ChangeServiceConfigW 76F1A26A 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!SetServiceObjectSecurity 76F53791 5 Bytes JMP 00081014
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!ChangeServiceConfigA 76F53891 5 Bytes JMP 00080804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!ChangeServiceConfig2A 76F53A39 5 Bytes JMP 00080C0C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!ChangeServiceConfig2W 76F53B81 5 Bytes JMP 00080E10
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] ADVAPI32.dll!CreateServiceA 76F53C41 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] USER32.dll!UnhookWindowsHookEx 76847CE7 5 Bytes JMP 00090A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] USER32.dll!SetWindowsHookExA 7684891A 5 Bytes JMP 00090600
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] USER32.dll!SetWindowsHookExW 7684913D 5 Bytes JMP 00090804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] USER32.dll!UnhookWinEvent 76852C74 5 Bytes JMP 000903FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3952] USER32.dll!SetWinEventHook 76859C6D 5 Bytes JMP 000901F8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Threads - GMER 1.0.15 ----

Thread System [4:208] 871CB0B3
Thread System [4:220] 871CC7FB

---- EOF - GMER 1.0.15 ----


any help please?

BC AdBot (Login to Remove)

 


#2 thewoodman22

thewoodman22
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 07 July 2011 - 09:52 AM

after talking to a tech from work, told me to use TDSSKiller again and this time click the restore option

this appears to have worked
no longer getting redirects or IE running in background

switched of restore, did a reboot and switched back on
to clear out any old restore points

Gonna be away from this sat for a week so if somebody wants to mark this as closed for now etc
any further problems on my return, and i will post a new thread

but many thanks to boopme for all the help

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 07 July 2011 - 04:50 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users