GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-20 20:46:58 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 Running: wv3lgl5o.exe; Driver: C:\Users\jjj\AppData\Local\Temp\pwddrkob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8CB47DF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x93778A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8CB4885E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8CB4D2E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8CB4D330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8CB4D422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8CB4D252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8CB4D374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8CB4D29A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8CB4D3DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8CB47E44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x93778B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8CB47AD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8CB47E90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8CB4AD1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8CB48B02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8CB4D30E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8CB4D352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8CB4D446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8CB4D278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8CB4D3AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8CB4D2C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8CB4D400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x93778CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8CB489CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8CB47EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8CB47F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8CB47B46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8CB47CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8CB47C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8CB47D5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x93778D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8CB47F74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x93778BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9378ED92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 834548A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 834742F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 138B 8347B558 4 Bytes [F8, 7D, B4, 8C] .text ntoskrnl.exe!KeRemoveQueueEx + 13B3 8347B580 4 Bytes [5A, 8A, 77, 93] {POP EDX; MOV DH, [EDI-0x6d]} .text ntoskrnl.exe!KeRemoveQueueEx + 1413 8347B5E0 4 Bytes [5E, 88, B4, 8C] .text ntoskrnl.exe!KeRemoveQueueEx + 1467 8347B634 8 Bytes [E4, D2, B4, 8C, 30, D3, B4, ...] {IN AL, 0xd2; MOV AH, 0x8c; XOR BL, DL; MOV AH, 0x8c} .text ntoskrnl.exe!KeRemoveQueueEx + 1473 8347B640 4 Bytes [22, D4, B4, 8C] {AND DL, AH; MOV AH, 0x8c} .text ... PAGE ntoskrnl.exe!ObMakeTemporaryObject 83600E6C 5 Bytes JMP 9378BC8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!RtlCompareUnicodeStrings + 50C 83628574 5 Bytes JMP 9378D764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 108 8362ED51 4 Bytes CALL 8CB491B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwAlpcSendWaitReceivePort + 122 8366B89F 4 Bytes CALL 8CB491CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 836F0CCA 7 Bytes JMP 9378ED96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? System32\Drivers\spkl.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 95EBFD18 5 Bytes JMP 8771F1D8 .text a22m4ltw.SYS 94220000 12 Bytes [44, 58, 82, 83, EE, 56, 82, ...] .text a22m4ltw.SYS 9422000D 9 Bytes [37, 82, 83, 48, 5B, 82, 83, ...] .text a22m4ltw.SYS 94220017 85 Bytes [00, DE, 67, 31, 8C, E6, 65, ...] .text a22m4ltw.SYS 9422006D 84 Bytes [10, 45, 83, 90, 30, 47, 83, ...] .text a22m4ltw.SYS 942200C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ... .text peauth.sys 9ED4BC9D 28 Bytes CALL E6C6AF7B .text peauth.sys 9ED4BCC1 28 Bytes CALL E6C6AF9F ---- User code sections - GMER 1.0.15 ---- .text C:\windows\System32\spoolsv.exe[468] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000A03FC .text C:\windows\System32\spoolsv.exe[468] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000A01F8 .text C:\windows\System32\spoolsv.exe[468] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\System32\spoolsv.exe[468] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00140A08 .text C:\windows\System32\spoolsv.exe[468] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001403FC .text C:\windows\System32\spoolsv.exe[468] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00140804 .text C:\windows\System32\spoolsv.exe[468] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001401F8 .text C:\windows\System32\spoolsv.exe[468] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00140600 .text C:\windows\system32\csrss.exe[572] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\svchost.exe[592] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000A03FC .text C:\windows\system32\svchost.exe[592] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000A01F8 .text C:\windows\system32\svchost.exe[592] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\svchost.exe[592] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00210A08 .text C:\windows\system32\svchost.exe[592] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 002103FC .text C:\windows\system32\svchost.exe[592] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00210804 .text C:\windows\system32\svchost.exe[592] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 002101F8 .text C:\windows\system32\svchost.exe[592] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00210600 .text C:\windows\system32\csrss.exe[636] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\wininit.exe[644] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000703FC .text C:\windows\system32\wininit.exe[644] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000701F8 .text C:\windows\system32\wininit.exe[644] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\wininit.exe[644] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00200A08 .text C:\windows\system32\wininit.exe[644] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 002003FC .text C:\windows\system32\wininit.exe[644] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00200804 .text C:\windows\system32\wininit.exe[644] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 002001F8 .text C:\windows\system32\wininit.exe[644] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00200600 .text C:\windows\system32\winlogon.exe[700] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000303FC .text C:\windows\system32\winlogon.exe[700] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000301F8 .text C:\windows\system32\winlogon.exe[700] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\winlogon.exe[700] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 000C0A08 .text C:\windows\system32\winlogon.exe[700] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 000C03FC .text C:\windows\system32\winlogon.exe[700] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 000C0804 .text C:\windows\system32\winlogon.exe[700] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 000C01F8 .text C:\windows\system32\winlogon.exe[700] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 000C0600 .text C:\windows\system32\services.exe[736] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\services.exe[736] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\services.exe[736] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\services.exe[736] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00180A08 .text C:\windows\system32\services.exe[736] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001803FC .text C:\windows\system32\services.exe[736] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00180804 .text C:\windows\system32\services.exe[736] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001801F8 .text C:\windows\system32\services.exe[736] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00180600 .text C:\windows\system32\lsass.exe[756] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\lsass.exe[756] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\lsass.exe[756] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\lsm.exe[764] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\lsm.exe[764] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\lsm.exe[764] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\svchost.exe[868] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[868] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[868] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\nvvsvc.exe[956] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\windows\system32\nvvsvc.exe[956] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\windows\system32\nvvsvc.exe[956] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\nvvsvc.exe[956] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 002F0A08 .text C:\windows\system32\nvvsvc.exe[956] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 002F03FC .text C:\windows\system32\nvvsvc.exe[956] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 002F0804 .text C:\windows\system32\nvvsvc.exe[956] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 002F01F8 .text C:\windows\system32\nvvsvc.exe[956] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 002F0600 .text C:\windows\system32\svchost.exe[996] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000A03FC .text C:\windows\system32\svchost.exe[996] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000A01F8 .text C:\windows\system32\svchost.exe[996] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\System32\svchost.exe[1012] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\System32\svchost.exe[1012] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\System32\svchost.exe[1012] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00180A08 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001803FC .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00180804 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001801F8 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1100] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00180600 .text C:\windows\System32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\System32\svchost.exe[1104] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\System32\svchost.exe[1104] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\System32\svchost.exe[1104] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00170A08 .text C:\windows\System32\svchost.exe[1104] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001703FC .text C:\windows\System32\svchost.exe[1104] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00170804 .text C:\windows\System32\svchost.exe[1104] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001701F8 .text C:\windows\System32\svchost.exe[1104] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00170600 .text C:\windows\System32\svchost.exe[1144] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000A03FC .text C:\windows\System32\svchost.exe[1144] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000A01F8 .text C:\windows\System32\svchost.exe[1144] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\System32\svchost.exe[1144] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00590A08 .text C:\windows\System32\svchost.exe[1144] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 005903FC .text C:\windows\System32\svchost.exe[1144] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00590804 .text C:\windows\System32\svchost.exe[1144] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 005901F8 .text C:\windows\System32\svchost.exe[1144] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00590600 .text C:\windows\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 006A0A08 .text C:\windows\system32\svchost.exe[1168] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 006A03FC .text C:\windows\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 006A0804 .text C:\windows\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 006A01F8 .text C:\windows\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 006A0600 .text C:\windows\system32\PnkBstrA.exe[1236] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001503FC .text C:\windows\system32\PnkBstrA.exe[1236] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001501F8 .text C:\windows\system32\PnkBstrA.exe[1236] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\PnkBstrA.exe[1236] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001E0A08 .text C:\windows\system32\PnkBstrA.exe[1236] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001E03FC .text C:\windows\system32\PnkBstrA.exe[1236] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001E0804 .text C:\windows\system32\PnkBstrA.exe[1236] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001E01F8 .text C:\windows\system32\PnkBstrA.exe[1236] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001E0600 .text C:\windows\system32\dgdersvc.exe[1244] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\windows\system32\dgdersvc.exe[1244] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\windows\system32\dgdersvc.exe[1244] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\dgdersvc.exe[1244] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001A0A08 .text C:\windows\system32\dgdersvc.exe[1244] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001A03FC .text C:\windows\system32\dgdersvc.exe[1244] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001A0804 .text C:\windows\system32\dgdersvc.exe[1244] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001A01F8 .text C:\windows\system32\dgdersvc.exe[1244] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001A0600 .text C:\windows\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[1296] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\nvvsvc.exe[1364] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\windows\system32\nvvsvc.exe[1364] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\windows\system32\nvvsvc.exe[1364] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\nvvsvc.exe[1364] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00180A08 .text C:\windows\system32\nvvsvc.exe[1364] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001803FC .text C:\windows\system32\nvvsvc.exe[1364] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00180804 .text C:\windows\system32\nvvsvc.exe[1364] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001801F8 .text C:\windows\system32\nvvsvc.exe[1364] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00180600 .text C:\windows\System32\svchost.exe[1372] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000A03FC .text C:\windows\System32\svchost.exe[1372] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000A01F8 .text C:\windows\System32\svchost.exe[1372] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\System32\svchost.exe[1372] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00350A08 .text C:\windows\System32\svchost.exe[1372] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 003503FC .text C:\windows\System32\svchost.exe[1372] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00350804 .text C:\windows\System32\svchost.exe[1372] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 003501F8 .text C:\windows\System32\svchost.exe[1372] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00350600 .text C:\windows\system32\FsUsbExService.Exe[1432] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001503FC .text C:\windows\system32\FsUsbExService.Exe[1432] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001501F8 .text C:\windows\system32\FsUsbExService.Exe[1432] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\FsUsbExService.Exe[1432] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001E0A08 .text C:\windows\system32\FsUsbExService.Exe[1432] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001E03FC .text C:\windows\system32\FsUsbExService.Exe[1432] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001E0804 .text C:\windows\system32\FsUsbExService.Exe[1432] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001E01F8 .text C:\windows\system32\FsUsbExService.Exe[1432] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001E0600 .text C:\windows\system32\svchost.exe[1540] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[1540] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[1540] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\Explorer.EXE[1684] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\Explorer.EXE[1684] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\Explorer.EXE[1684] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\Explorer.EXE[1684] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00110A08 .text C:\windows\Explorer.EXE[1684] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001103FC .text C:\windows\Explorer.EXE[1684] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00110804 .text C:\windows\Explorer.EXE[1684] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001101F8 .text C:\windows\Explorer.EXE[1684] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00110600 .text C:\windows\system32\Dwm.exe[1760] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\Dwm.exe[1760] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\Dwm.exe[1760] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\Dwm.exe[1760] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00080A08 .text C:\windows\system32\Dwm.exe[1760] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 000803FC .text C:\windows\system32\Dwm.exe[1760] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00080804 .text C:\windows\system32\Dwm.exe[1760] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 000801F8 .text C:\windows\system32\Dwm.exe[1760] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00080600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00240A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 002403FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00240804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 002401F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1788] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00240600 .text C:\windows\system32\svchost.exe[1792] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[1792] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[1792] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00110A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001103FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00110804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001101F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1996] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00110600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2020] kernel32.dll!SetUnhandledExceptionFilter 75DB30E2 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2020] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001703FC .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001701F8 .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 002103FC .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00210804 .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 002101F8 .text C:\Program Files\Google\Update\GoogleUpdate.exe[2436] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00210600 .text C:\windows\system32\AUDIODG.EXE[2524] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00190A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001903FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00190804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001901F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2764] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00190600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001F0600 .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00200A08 .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 002003FC .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00200804 .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 002001F8 .text C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe[2900] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00200600 .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001F03FC .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001F0804 .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001F01F8 .text C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe[2960] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001F0600 .text D:\wv3lgl5o.exe[3088] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text D:\wv3lgl5o.exe[3088] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text D:\wv3lgl5o.exe[3088] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text D:\wv3lgl5o.exe[3088] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00310A08 .text D:\wv3lgl5o.exe[3088] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 003103FC .text D:\wv3lgl5o.exe[3088] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00310804 .text D:\wv3lgl5o.exe[3088] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 003101F8 .text D:\wv3lgl5o.exe[3088] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00310600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3184] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00180600 .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001F03FC .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001F0804 .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001F01F8 .text C:\Program Files\AnyPC Client\APLangApp.exe[3208] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001F0600 .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001F03FC .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 001F0804 .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001F01F8 .text C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe[3248] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 001F0600 .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 001603FC .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 001601F8 .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 003C0A08 .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 003C03FC .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 003C0804 .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 003C01F8 .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[3292] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 003C0600 .text C:\windows\system32\SearchIndexer.exe[3304] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\SearchIndexer.exe[3304] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\SearchIndexer.exe[3304] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\SearchIndexer.exe[3304] USER32.dll!UnhookWindowsHookEx 7735CC7B 5 Bytes JMP 00100A08 .text C:\windows\system32\SearchIndexer.exe[3304] USER32.dll!UnhookWinEvent 7735D924 5 Bytes JMP 001003FC .text C:\windows\system32\SearchIndexer.exe[3304] USER32.dll!SetWindowsHookExW 7736210A 5 Bytes JMP 00100804 .text C:\windows\system32\SearchIndexer.exe[3304] USER32.dll!SetWinEventHook 7736507E 5 Bytes JMP 001001F8 .text C:\windows\system32\SearchIndexer.exe[3304] USER32.dll!SetWindowsHookExA 77386DFA 5 Bytes JMP 00100600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3332] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] .text C:\windows\system32\svchost.exe[3664] ntdll.dll!LdrUnloadDll 7778BD1F 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[3664] ntdll.dll!LdrLoadDll 7778F425 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[3664] kernel32.dll!GetBinaryTypeW + 70 75DC78FC 1 Byte [62] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [8C244DDC] \SystemRoot\System32\Drivers\spkl.sys IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [8C244E30] \SystemRoot\System32\Drivers\spkl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8C21A042] \SystemRoot\System32\Drivers\spkl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8C21A6D6] \SystemRoot\System32\Drivers\spkl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8C21A800] \SystemRoot\System32\Drivers\spkl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8C21A13E] \SystemRoot\System32\Drivers\spkl.sys IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B IAT \SystemRoot\System32\Drivers\a22m4ltw.SYS[NTOSKRNL.exe!KeTickCount] 78801875 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74792494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74775624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747756E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [7479250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74788573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74784D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747850CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747851A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747866D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747882CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74788819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7478907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7478E21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[1684] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74784C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2020] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [74CBF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3332] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [74CBF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 85A7D1F8 Device \FileSystem\udfs \UdfsCdRom 874441F8 Device \FileSystem\udfs \UdfsDisk 874441F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{B7099467-7D9C-45FC-9806-CDB5BCBD1AA8} 875CC1F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 85A771F8 Device \Driver\usbuhci \Device\USBPDO-0 877201F8 Device \Driver\usbuhci \Device\USBPDO-1 877201F8 Device \Driver\usbuhci \Device\USBPDO-2 877201F8 Device \Driver\usbehci \Device\USBPDO-3 86824500 Device \Driver\usbuhci \Device\USBPDO-4 877201F8 AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbuhci \Device\USBPDO-5 877201F8 Device \Driver\usbuhci \Device\USBPDO-6 877201F8 Device \Driver\volmgr \Device\HarddiskVolume1 85A771F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 86824500 Device \Driver\volmgr \Device\HarddiskVolume2 85A771F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 87430500 Device \Driver\volmgr \Device\HarddiskVolume3 85A771F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\iaStor \Device\Ide\iaStor0 [8C4D5650] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8C4D5650] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8C4D5650] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\cdrom \Device\CdRom1 87430500 Device \Driver\volmgr \Device\HarddiskVolume4 85A771F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 875CC1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{442FB787-B184-4F19-B4B4-DED6569817AA} 875CC1F8 Device \Driver\sptd \Device\556671468 spkl.sys Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\PCI_PNP7467 \Device\0000005d spkl.sys Device \Driver\usbuhci \Device\USBFDO-0 877201F8 Device \Driver\usbuhci \Device\USBFDO-1 877201F8 Device \Driver\usbuhci \Device\USBFDO-2 877201F8 Device \Driver\usbehci \Device\USBFDO-3 86824500 Device \Driver\usbuhci \Device\USBFDO-4 877201F8 Device \Driver\usbuhci \Device\USBFDO-5 877201F8 Device \Driver\usbuhci \Device\USBFDO-6 877201F8 Device \Driver\usbehci \Device\USBFDO-7 86824500 Device \Driver\a22m4ltw \Device\Scsi\a22m4ltw1Port1Path0Target0Lun0 8778D1F8 Device \Driver\a22m4ltw \Device\Scsi\a22m4ltw1 8778D1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE4 0x83 0xA1 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0F 0x56 0x8E 0x3D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5E 0x5E 0x71 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x48 0x7F 0x43 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE4 0x83 0xA1 0xB5 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0F 0x56 0x8E 0x3D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5E 0x5E 0x71 0x10 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x48 0x7F 0x43 0x35 ... ---- Files - GMER 1.0.15 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\r6 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\r6\OTL.exe_{5fec6b34-8b0b-11e1-b375-0024546ea5e2} 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\r6\OTL.exe_{5fec6b39-8b0b-11e1-b375-0024546ea5e2} 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\r6\OTL.exe_{5fec6b45-8b0b-11e1-b375-0024546ea5e2} 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage\C 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage\C\windows 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage\C\windows\Prefetch 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage\C\windows\Prefetch\CONHOST.EXE-0C6456FB.pf 18298 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage\E 0 bytes File C:\avast! sandbox\S-1-5-21-2789141661-186915839-826018185-1011\webStorage\snx_fs.dat 474 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 21504 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{f4eb6632-8b03-11e1-b6c5-0024546ea5e2}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{f4eb6632-8b03-11e1-b6c5-0024546ea5e2}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{f4eb6632-8b03-11e1-b6c5-0024546ea5e2}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{f4eb663a-8b03-11e1-b6c5-0024546ea5e2}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{f4eb663a-8b03-11e1-b6c5-0024546ea5e2}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{f4eb663a-8b03-11e1-b6c5-0024546ea5e2}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 1.0.15 ----