GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-04 00:44:39 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ESBO Running: bxbif5sr.exe; Driver: C:\Users\Iwi\AppData\Local\Temp\ufliypog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B103202] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8B609D8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B1057F0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B105848] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B10595E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B105746] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B105898] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B10579A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B10590C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B103226] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8B609E3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B102FF0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B10324A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B105D56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B103CDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B105820] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B105870] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B105988] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B105772] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B1058D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B1057C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B105936] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8B609ED4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B103BA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B10326E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B103292] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B10304A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B103186] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B103162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B1031AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B1032B6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 81E45349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E7ED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 81E85D80 2 Bytes [02, 32] {ADD DH, [EDX]} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CE 81E85D83 1 Byte [8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 81E85DA8 4 Bytes [8C, 9D, 60, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 81E85E5C 8 Bytes [F0, 57, 10, 8B, 48, 58, 10, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 81E85E68 4 Bytes [5E, 59, 10, 8B] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\csrss.exe[480] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\wininit.exe[488] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000303FC .text C:\windows\system32\wininit.exe[488] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000301F8 .text C:\windows\system32\wininit.exe[488] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\wininit.exe[488] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00100A08 .text C:\windows\system32\wininit.exe[488] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001003FC .text C:\windows\system32\wininit.exe[488] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00100804 .text C:\windows\system32\wininit.exe[488] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001001F8 .text C:\windows\system32\wininit.exe[488] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00100600 .text C:\windows\system32\winlogon.exe[540] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000303FC .text C:\windows\system32\winlogon.exe[540] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000301F8 .text C:\windows\system32\winlogon.exe[540] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\winlogon.exe[540] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00120A08 .text C:\windows\system32\winlogon.exe[540] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001203FC .text C:\windows\system32\winlogon.exe[540] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00120804 .text C:\windows\system32\winlogon.exe[540] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001201F8 .text C:\windows\system32\winlogon.exe[540] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00120600 .text C:\windows\system32\services.exe[584] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\services.exe[584] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\services.exe[584] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\lsass.exe[592] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\lsass.exe[592] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\lsass.exe[592] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\lsm.exe[600] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\lsm.exe[600] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\lsm.exe[600] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[696] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[696] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[696] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\System32\svchost.exe[784] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\System32\svchost.exe[784] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\System32\svchost.exe[784] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\System32\svchost.exe[784] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00130A08 .text C:\windows\System32\svchost.exe[784] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001303FC .text C:\windows\System32\svchost.exe[784] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00130804 .text C:\windows\System32\svchost.exe[784] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001301F8 .text C:\windows\System32\svchost.exe[784] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00130600 .text C:\windows\system32\svchost.exe[788] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[788] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[788] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\System32\svchost.exe[872] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\System32\svchost.exe[872] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\System32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\System32\svchost.exe[872] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00220A08 .text C:\windows\System32\svchost.exe[872] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 002203FC .text C:\windows\System32\svchost.exe[872] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00220804 .text C:\windows\System32\svchost.exe[872] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 002201F8 .text C:\windows\System32\svchost.exe[872] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00220600 .text C:\windows\System32\svchost.exe[916] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\System32\svchost.exe[916] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\System32\svchost.exe[916] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\System32\svchost.exe[916] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 005B0A08 .text C:\windows\System32\svchost.exe[916] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 005B03FC .text C:\windows\System32\svchost.exe[916] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 005B0804 .text C:\windows\System32\svchost.exe[916] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 005B01F8 .text C:\windows\System32\svchost.exe[916] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 005B0600 .text C:\windows\system32\svchost.exe[944] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[944] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[944] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00C60A08 .text C:\windows\system32\svchost.exe[944] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 00C603FC .text C:\windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00C60804 .text C:\windows\system32\svchost.exe[944] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 00C601F8 .text C:\windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00C60600 .text C:\windows\system32\svchost.exe[1096] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000A03FC .text C:\windows\system32\svchost.exe[1096] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000A01F8 .text C:\windows\system32\svchost.exe[1096] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1096] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 004F0A08 .text C:\windows\system32\svchost.exe[1096] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 004F03FC .text C:\windows\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 004F0804 .text C:\windows\system32\svchost.exe[1096] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 004F01F8 .text C:\windows\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 004F0600 .text C:\windows\System32\spoolsv.exe[1156] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\System32\spoolsv.exe[1156] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\System32\spoolsv.exe[1156] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\System32\spoolsv.exe[1156] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00100A08 .text C:\windows\System32\spoolsv.exe[1156] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001003FC .text C:\windows\System32\spoolsv.exe[1156] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00100804 .text C:\windows\System32\spoolsv.exe[1156] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001001F8 .text C:\windows\System32\spoolsv.exe[1156] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00100600 .text C:\windows\system32\svchost.exe[1200] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000A03FC .text C:\windows\system32\svchost.exe[1200] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000A01F8 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1300] kernel32.dll!SetUnhandledExceptionFilter 7693F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1300] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\Dwm.exe[1380] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\Dwm.exe[1380] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\Dwm.exe[1380] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\Dwm.exe[1380] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 000F0A08 .text C:\windows\system32\Dwm.exe[1380] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 000F03FC .text C:\windows\system32\Dwm.exe[1380] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 000F0804 .text C:\windows\system32\Dwm.exe[1380] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 000F01F8 .text C:\windows\system32\Dwm.exe[1380] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 000F0600 .text C:\windows\Explorer.EXE[1412] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\Explorer.EXE[1412] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\Explorer.EXE[1412] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\Explorer.EXE[1412] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00110A08 .text C:\windows\Explorer.EXE[1412] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001103FC .text C:\windows\Explorer.EXE[1412] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00110804 .text C:\windows\Explorer.EXE[1412] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001101F8 .text C:\windows\Explorer.EXE[1412] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00110600 .text C:\windows\system32\svchost.exe[1492] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[1492] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[1492] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1492] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00260A08 .text C:\windows\system32\svchost.exe[1492] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 002603FC .text C:\windows\system32\svchost.exe[1492] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00260804 .text C:\windows\system32\svchost.exe[1492] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 002601F8 .text C:\windows\system32\svchost.exe[1492] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00260600 .text C:\windows\system32\taskhost.exe[1504] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000503FC .text C:\windows\system32\taskhost.exe[1504] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000501F8 .text C:\windows\system32\taskhost.exe[1504] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\taskhost.exe[1504] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 000F0A08 .text C:\windows\system32\taskhost.exe[1504] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 000F03FC .text C:\windows\system32\taskhost.exe[1504] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 000F0804 .text C:\windows\system32\taskhost.exe[1504] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 000F01F8 .text C:\windows\system32\taskhost.exe[1504] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 000F0600 .text C:\windows\system32\AsusService.exe[1560] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000503FC .text C:\windows\system32\AsusService.exe[1560] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000501F8 .text C:\windows\system32\AsusService.exe[1560] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\AsusService.exe[1560] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 001E0A08 .text C:\windows\system32\AsusService.exe[1560] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001E03FC .text C:\windows\system32\AsusService.exe[1560] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 001E0804 .text C:\windows\system32\AsusService.exe[1560] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001E01F8 .text C:\windows\system32\AsusService.exe[1560] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 001E0600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00190A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001903FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00190804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001901F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1600] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00190600 .text C:\Program Files\Elantech\ETDCtrl.exe[1612] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Elantech\ETDCtrl.exe[1612] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Elantech\ETDCtrl.exe[1612] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[1612] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00110A08 .text C:\Program Files\Elantech\ETDCtrl.exe[1612] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001103FC .text C:\Program Files\Elantech\ETDCtrl.exe[1612] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00110804 .text C:\Program Files\Elantech\ETDCtrl.exe[1612] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001101F8 .text C:\Program Files\Elantech\ETDCtrl.exe[1612] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00110600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 001A0A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001A03FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 001A0804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001A01F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1620] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 001A0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1628] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[1664] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 002003FC .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\igfxpers.exe[1672] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[1672] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[1672] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[1672] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\igfxpers.exe[1672] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 002003FC .text C:\Windows\System32\igfxpers.exe[1672] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\igfxpers.exe[1672] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\igfxpers.exe[1672] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00200600 .text C:\windows\system32\igfxsrvc.exe[1772] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 001603FC .text C:\windows\system32\igfxsrvc.exe[1772] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 001601F8 .text C:\windows\system32\igfxsrvc.exe[1772] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\igfxsrvc.exe[1772] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 001F0A08 .text C:\windows\system32\igfxsrvc.exe[1772] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001F03FC .text C:\windows\system32\igfxsrvc.exe[1772] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 001F0804 .text C:\windows\system32\igfxsrvc.exe[1772] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001F01F8 .text C:\windows\system32\igfxsrvc.exe[1772] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 000F03FC .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1984] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00090A08 .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 000903FC .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00090804 .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 000901F8 .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2292] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00090600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2328] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00100600 .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 001A0A08 .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001A03FC .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 001A0804 .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001A01F8 .text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2384] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 001A0600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2412] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2816] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00210600 .text C:\windows\system32\svchost.exe[2904] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[2904] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[2904] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[2904] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00120A08 .text C:\windows\system32\svchost.exe[2904] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 001203FC .text C:\windows\system32\svchost.exe[2904] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00120804 .text C:\windows\system32\svchost.exe[2904] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 001201F8 .text C:\windows\system32\svchost.exe[2904] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00120600 .text C:\windows\system32\ctfmon.exe[3008] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[3088] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[3088] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[3088] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] ntdll.dll!LdrUnloadDll 771FC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] ntdll.dll!LdrLoadDll 772022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] USER32.dll!UnhookWindowsHookEx 76D8ADF9 5 Bytes JMP 00090A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] USER32.dll!UnhookWinEvent 76D8B750 5 Bytes JMP 000903FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] USER32.dll!SetWindowsHookExW 76D8E30C 5 Bytes JMP 00090804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] USER32.dll!SetWinEventHook 76D924DC 5 Bytes JMP 000901F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3444] USER32.dll!SetWindowsHookExA 76DB6D0C 5 Bytes JMP 00090600 .text C:\Users\Iwi\Desktop\bxbif5sr.exe[3684] kernel32.dll!GetBinaryTypeW + 70 769569F4 1 Byte [62] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dbb854f Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dbb854f (not active ControlSet) ---- EOF - GMER 1.0.15 ----