Malwarebytes' Anti-Malware
www.malwarebytes.org
Database version:
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/18/2011 5:59:48 PM
mbam-log-2011-11-18 (17-59-48).txt
Scan type: Quick scan
Objects scanned: 213946
Time elapsed: 25 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15641 -
http://www.gmer.net
Rootkit scan 2011-11-19 00:10:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e WDC_WD800JD-75MSA1 rev.10.01E01
Running: l6romq9k.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\kfrcraob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAD0C1202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAD127D8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAD0E56C1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAD0C37F0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAD0C3848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAD0C395E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAD0E5075]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAD0C3746]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAD0C3898]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAD0C379A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAD0C390C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAD0C1226]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAD0E5D87]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAD0E603D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAD0C3BE2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAD0E5BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAD0E5A5D]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAD127E3C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAD0C0FF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAD0C124A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAD0C3D56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAD0C1CDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAD0C3820]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAD0C3870]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAD0C3988]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAD0E53D1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAD0C3772]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAD0C3A1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAD0C38D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAD0C37C8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAD0C3AFE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAD0C3936]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAD127ED4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAD0E58D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAD0C1BA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAD0E572A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAD13010E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAD0E46E8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAD0C126E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAD0C1292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAD0C104A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAD0C1186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAD0E5E8E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAD0C1162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAD0C11AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAD0C12B6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAD13D398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2F14 805047B0 4 Bytes CALL F8FD55FB
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A646E 4 Bytes CALL AD0C2335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP AD138D4C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP AD13A7F2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP AD13D39C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9862000, 0x1B601E, 0xE8000020]
.text win32k.sys!EngFreeUserMem + 674 BF80991D 3 Bytes JMP AD0C4CA2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 678 BF809921 1 Byte [ED]
.text win32k.sys!EngDeleteSurface + 45 BF81390C 3 Bytes JMP AD0C4BAE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 49 BF813910 1 Byte [ED]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E78D 5 Bytes JMP AD0C3E70 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTextOut + 1DB5 BF829AB9 5 Bytes JMP AD0C4B1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 35C1 BF82DDCE 5 Bytes JMP AD0C4BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 411E BF84608E 5 Bytes JMP AD0C42FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 3AA1 BF867CAF 5 Bytes JMP AD0C4D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToWideChar + 2F30 BF86FF5B 5 Bytes JMP AD0C3E58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 7690 BF87E6B1 5 Bytes JMP AD0C3F34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 698 BF88E255 5 Bytes JMP AD0C4E0C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 3A66 BF891623 5 Bytes JMP AD0C5014 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 10B8D BF89E74A 5 Bytes JMP AD0C4180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 10C18 BF89E7D5 5 Bytes JMP AD0C4326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + B038 BF8B91F0 5 Bytes JMP AD0C3FA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 114FA BF8BF6B2 5 Bytes JMP AD0C4F72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 3E8 BF8C3223 5 Bytes JMP AD0C403E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8EB865 5 Bytes JMP AD0C40AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8EBAE5 5 Bytes JMP AD0C40E8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8F98EB 5 Bytes JMP AD0C3D8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 19B2 BF913826 5 Bytes JMP AD0C3EF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2586 BF9143FA 5 Bytes JMP AD0C4008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EE5 BF916D59 5 Bytes JMP AD0C4440 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 190E BF944ED0 5 Bytes JMP AD0C4ECA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[236] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[236] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[236] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[236] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[236] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[236] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[236] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[236] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[236] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[236] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\System32\smss.exe[420] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[476] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[508] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[508] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[508] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[508] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\winlogon.exe[508] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\winlogon.exe[508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\winlogon.exe[508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\winlogon.exe[508] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\winlogon.exe[508] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\winlogon.exe[508] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\services.exe[552] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[552] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[552] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[552] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\services.exe[552] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\services.exe[552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\services.exe[552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\services.exe[552] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\services.exe[552] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\services.exe[552] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[564] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\lsass.exe[564] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\lsass.exe[564] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\lsass.exe[564] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\lsass.exe[564] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\lsass.exe[564] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[728] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[728] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[728] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[728] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[728] USER32.dll!UnhookWindowsHookEx