GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-13 10:34:49 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD321KJ rev.CP100-12 Running: kgug4jmn.exe; Driver: C:\Users\Surax\AppData\Local\Temp\fwddykog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9023EDF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9101AA5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9023F85E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x902442E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90244330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x90244422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90244252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x90244374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9024429A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x902443DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9023EE44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9101AB34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9023EAD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9023EE90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90241D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9023FB02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9024430E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90244352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x90244446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90244278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x902443AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x902442C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90244400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x9101ACA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9023F9CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9023EEDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9023EF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9023EB46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9023ECEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9023EC92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9023ED5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x9101AD60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9023EF74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x9101ABE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91030D92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82C49359 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C82D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82C89DA0 4 Bytes [F8, ED, 23, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82C89DC8 4 Bytes [5A, AA, 01, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82C89E28 4 Bytes [5E, F8, 23, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82C89E7C 4 Bytes [E4, 42, 24, 90] {IN AL, 0x42; AND AL, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AC 82C89E81 3 Bytes [43, 24, 90] {INC EBX; AND AL, 0x90} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E16C64 5 Bytes JMP 9102DC8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82E2F290 5 Bytes JMP 9102F764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E443D7 4 Bytes CALL 902401B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E5E1E0 4 Bytes CALL 902401CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EE80F6 7 Bytes JMP 91030D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? C:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! .text kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text user32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes [E9, 0A, 5C, DD, 8A] {JMP 0xffffffff8add5c0f} .text user32.dll!UnhookWinEvent 7543B750 5 Bytes [E9, A7, 4C, DD, 8A] {JMP 0xffffffff8add4cac} .text user32.dll!SetWindowsHookExW 7543E30C 5 Bytes [E9, F3, 24, DD, 8A] {JMP 0xffffffff8add24f8} .text user32.dll!SetWinEventHook 754424DC 5 Bytes [E9, 17, DD, DC, 8A] {JMP 0xffffffff8adcdd1c} .text user32.dll!SetWindowsHookExA 75466D0C 5 Bytes [E9, EF, 98, DA, 8A] {JMP 0xffffffff8ada98f4} ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[396] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[396] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[396] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[432] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[432] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[432] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[496] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[556] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[556] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[556] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[556] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00050A08 .text C:\Windows\system32\wininit.exe[556] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000503FC .text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00050804 .text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000501F8 .text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00050600 .text C:\Windows\system32\csrss.exe[568] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\services.exe[608] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] ? C:\Windows\system32\services.exe[608] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll .text C:\Windows\system32\winlogon.exe[640] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[640] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[640] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[640] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[640] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[640] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[640] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[640] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[668] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[668] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[668] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\lsm.exe[680] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[680] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[680] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00300A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 003003FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00300804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 003001F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[772] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00300600 .text C:\Windows\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[780] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 001F0600 .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001503FC .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001501F8 .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00180A08 .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001803FC .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00180804 .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001801F8 .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00180600 .text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00190A08 .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001903FC .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00190804 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001901F8 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00190600 .text C:\Windows\System32\svchost.exe[1084] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1084] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1084] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1084] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00280A08 .text C:\Windows\System32\svchost.exe[1084] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002803FC .text C:\Windows\System32\svchost.exe[1084] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00280804 .text C:\Windows\System32\svchost.exe[1084] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002801F8 .text C:\Windows\System32\svchost.exe[1084] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00280600 .text C:\Windows\System32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1120] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1120] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1120] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00360A08 .text C:\Windows\System32\svchost.exe[1120] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 003603FC .text C:\Windows\System32\svchost.exe[1120] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00360804 .text C:\Windows\System32\svchost.exe[1120] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 003601F8 .text C:\Windows\System32\svchost.exe[1120] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00360600 .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[1200] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000703FC .text C:\Windows\system32\wuauclt.exe[1200] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\wuauclt.exe[1200] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[1200] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00090A08 .text C:\Windows\system32\wuauclt.exe[1200] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000903FC .text C:\Windows\system32\wuauclt.exe[1200] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00090804 .text C:\Windows\system32\wuauclt.exe[1200] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000901F8 .text C:\Windows\system32\wuauclt.exe[1200] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\svchost.exe[1352] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1352] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1352] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1352] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00560A08 .text C:\Windows\system32\svchost.exe[1352] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 005603FC .text C:\Windows\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00560804 .text C:\Windows\system32\svchost.exe[1352] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 005601F8 .text C:\Windows\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00560600 .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 6058696F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] kernel32.dll!MapViewOfFile 75A993DB 5 Bytes JMP 60830219 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] kernel32.dll!VirtualAlloc 75A9C43A 5 Bytes JMP 60830240 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[1368] GDI32.dll!CreateDIBSection 75A08850 5 Bytes JMP 608301A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\svchost.exe[1496] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1496] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1496] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001F03FC .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 001F0804 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1520] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\nvvsvc.exe[1532] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Windows\system32\nvvsvc.exe[1532] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\nvvsvc.exe[1532] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\nvvsvc.exe[1532] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\nvvsvc.exe[1532] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\nvvsvc.exe[1532] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\nvvsvc.exe[1532] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\nvvsvc.exe[1532] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002003FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00200804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002001F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1564] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00200600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1628] kernel32.dll!SetUnhandledExceptionFilter 75A9F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1628] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\xampp\apache\bin\httpd.exe[1776] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000A03FC .text C:\xampp\apache\bin\httpd.exe[1776] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000A01F8 .text C:\xampp\apache\bin\httpd.exe[1776] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\xampp\apache\bin\httpd.exe[1776] user32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00170A08 .text C:\xampp\apache\bin\httpd.exe[1776] user32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001703FC .text C:\xampp\apache\bin\httpd.exe[1776] user32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00170804 .text C:\xampp\apache\bin\httpd.exe[1776] user32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001701F8 .text C:\xampp\apache\bin\httpd.exe[1776] user32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00170600 .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[2004] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00100600 .text C:\Windows\System32\spoolsv.exe[2012] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[2012] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[2012] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001003FC .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00100600 .text C:\Windows\System32\rundll32.exe[2140] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2140] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2140] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2140] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[2140] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[2140] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[2140] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[2140] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00100600 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002003FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00200804 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002001F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[2144] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\rundll32.exe[2188] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2188] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2188] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2188] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[2188] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[2188] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[2188] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[2188] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000803FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000801F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00120A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001203FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00120804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001201F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2204] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00120600 .text c:\xampp\mysql\bin\mysqld.exe[2240] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text c:\xampp\mysql\bin\mysqld.exe[2240] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text c:\xampp\mysql\bin\mysqld.exe[2240] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text c:\xampp\mysql\bin\mysqld.exe[2240] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00200A08 .text c:\xampp\mysql\bin\mysqld.exe[2240] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002003FC .text c:\xampp\mysql\bin\mysqld.exe[2240] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00200804 .text c:\xampp\mysql\bin\mysqld.exe[2240] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002001F8 .text c:\xampp\mysql\bin\mysqld.exe[2240] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00200600 .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe[2268] KERNEL32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2392] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001003FC .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00100804 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001001F8 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\SearchIndexer.exe[2464] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[2464] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[2464] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2464] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00240A08 .text C:\Windows\system32\SearchIndexer.exe[2464] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002403FC .text C:\Windows\system32\SearchIndexer.exe[2464] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00240804 .text C:\Windows\system32\SearchIndexer.exe[2464] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002401F8 .text C:\Windows\system32\SearchIndexer.exe[2464] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00240600 .text C:\Windows\system32\svchost.exe[2500] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2500] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2500] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2528] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2528] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2528] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001F03FC .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 001F0804 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\RealVNC\VNC4\WinVNC4.exe[2620] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 001F0600 .text C:\Windows\notepad.exe[2640] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\notepad.exe[2640] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\notepad.exe[2640] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\notepad.exe[2640] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00090A08 .text C:\Windows\notepad.exe[2640] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000903FC .text C:\Windows\notepad.exe[2640] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00090804 .text C:\Windows\notepad.exe[2640] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000901F8 .text C:\Windows\notepad.exe[2640] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00090600 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00300A08 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 003003FC .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00300804 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 003001F8 .text C:\Program Files\RealVNC\VNC4\winvnc4.exe[2660] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00300600 .text E:\Pobierane\kgug4jmn.exe[2692] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text E:\Pobierane\kgug4jmn.exe[2692] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text E:\Pobierane\kgug4jmn.exe[2692] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text E:\Pobierane\kgug4jmn.exe[2692] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00210A08 .text E:\Pobierane\kgug4jmn.exe[2692] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002103FC .text E:\Pobierane\kgug4jmn.exe[2692] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00210804 .text E:\Pobierane\kgug4jmn.exe[2692] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002101F8 .text E:\Pobierane\kgug4jmn.exe[2692] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00210600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000903FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000901F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00130A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001303FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00130804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001301F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2728] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00130600 .text C:\Windows\system32\taskhost.exe[2972] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2972] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2972] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2972] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\taskhost.exe[2972] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000E03FC .text C:\Windows\system32\taskhost.exe[2972] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\taskhost.exe[2972] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\taskhost.exe[2972] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 000E0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2996] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00090A08 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000903FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00090804 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000901F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!GetWindowInfo 75444B5E 5 Bytes JMP 6070A76C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!TrackPopupMenu 75452228 5 Bytes JMP 6070AD79 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3040] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\Dwm.exe[3064] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[3064] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[3064] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[3064] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[3064] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[3064] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[3064] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[3064] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 000F0600 .text C:\xampp\apache\bin\httpd.exe[3212] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000A03FC .text C:\xampp\apache\bin\httpd.exe[3212] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000A01F8 .text C:\xampp\apache\bin\httpd.exe[3212] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\xampp\apache\bin\httpd.exe[3212] user32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00170A08 .text C:\xampp\apache\bin\httpd.exe[3212] user32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001703FC .text C:\xampp\apache\bin\httpd.exe[3212] user32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00170804 .text C:\xampp\apache\bin\httpd.exe[3212] user32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001701F8 .text C:\xampp\apache\bin\httpd.exe[3212] user32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00170600 .text C:\Users\Surax\Downloads\OTL.exe[3236] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Users\Surax\Downloads\OTL.exe[3236] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Users\Surax\Downloads\OTL.exe[3236] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\notepad.exe[3996] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\notepad.exe[3996] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\notepad.exe[3996] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\notepad.exe[3996] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\notepad.exe[3996] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001003FC .text C:\Windows\system32\notepad.exe[3996] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\notepad.exe[3996] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\notepad.exe[3996] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00100600 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001F03FC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 001F0804 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[4340] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002103FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00210804 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002101F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4348] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00210600 .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001603FC .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001601F8 .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001F03FC .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 001F0804 .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\EXPERTool\TBPANEL.exe[4400] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\AUDIODG.EXE[4808] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\taskeng.exe[4928] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[4928] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[4928] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\system32\taskeng.exe[4928] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\taskeng.exe[4928] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\taskeng.exe[4928] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\taskeng.exe[4928] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\taskeng.exe[4928] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 000F0600 .text C:\Windows\notepad.exe[5068] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\notepad.exe[5068] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\notepad.exe[5068] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\notepad.exe[5068] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00140A08 .text C:\Windows\notepad.exe[5068] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001403FC .text C:\Windows\notepad.exe[5068] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00140804 .text C:\Windows\notepad.exe[5068] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001401F8 .text C:\Windows\notepad.exe[5068] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00140600 .text C:\Windows\Explorer.exe[5072] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.exe[5072] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.exe[5072] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Windows\Explorer.exe[5072] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00120A08 .text C:\Windows\Explorer.exe[5072] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 001203FC .text C:\Windows\Explorer.exe[5072] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00120804 .text C:\Windows\Explorer.exe[5072] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 001201F8 .text C:\Windows\Explorer.exe[5072] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00120600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001503FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001501F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002F03FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 002F0804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[5084] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 002F0600 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 001703FC .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 001701F8 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 002003FC .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00200804 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 002001F8 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5296] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00200600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] USER32.dll!UnhookWindowsHookEx 7543ADF9 5 Bytes JMP 00090A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] USER32.dll!UnhookWinEvent 7543B750 5 Bytes JMP 000903FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] USER32.dll!SetWindowsHookExW 7543E30C 5 Bytes JMP 00090804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] USER32.dll!SetWinEventHook 754424DC 5 Bytes JMP 000901F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5704] USER32.dll!SetWindowsHookExA 75466D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\svchost.exe[5788] ntdll.dll!LdrUnloadDll 76EAC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[5788] ntdll.dll!LdrLoadDll 76EB223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[5788] kernel32.dll!GetBinaryTypeW + 70 75AB69F4 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 51EC8B55 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 8B565351 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] FF560875 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] A4510815 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 85D88B00 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] C2840FDB IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 57000000 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 0068406A IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] FF000010 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 006A5073 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 508415FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] F88B00A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 85FC7D89 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] 9E840FFF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 8B000000 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] A4F3544B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 1443B70F IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 0653B70F IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 1818448D IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] 8B0CC083 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 08758B08 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] 03FC7D8B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 8BF903F1 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] C083FC48 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] A4F34A28 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 758BE975 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 443D8BFC IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 2B00A451 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 458D0875 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 056A50F8 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 75FF016A IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] 85D7FFFC IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] EB2574C0 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 04488B1D IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 56F84D29 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8B08508D IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] FC450300 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 52F8C183 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 5051E9D1 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 514015FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 7D8300A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] DD7500F8 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 50F8458D IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 016A016A IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FFFC75FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 74C085D7 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 0C488D20 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] C085018B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] F18B1774 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 03FC4D8B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] 15FF50C1 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] [00A45080] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B14C683 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 75C08506 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FC458BEB IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] C95B5E5F IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 560004C2 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 7140BF57 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 8B5700A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 7C15FFF1 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 6A00A450 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 3C83580F IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] A4715885 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] 09740000 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 8548C88B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] EBEF75C9 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 85348907 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] [00A47158] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 3415FF57 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] 5F00A450 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] 5756C35E IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] A47140BF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] F18B5700 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 507C15FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 0F6A00A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 85343958 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] [00A47158] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] C88B0974 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 75C98548 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 8308EBF0 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] 71588524 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 570000A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 503415FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 5E5F00A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 800068C3 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 006A0000 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 7815FF51 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 5000A450 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 513C15FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 55C300A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5351EC8B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 35FF5756 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00A47198] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 513815FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 8D5900A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] E8400044 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] 00002B4C IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] 75FFFC8B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] FC7D8908 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 719835FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EC6800A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 5700A453 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 513415FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] DB3300A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 3910C483 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 6E7D085D IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FFF63357 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] A4507415 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 85F88B00 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 8D3774FF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 6A500845 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] FF575602 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] A4513015 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 7CC08500 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF556A25 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 15FFFC75 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] [00A4512C] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] C9335959 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] 08896657 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] FFFE1FE8 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85D88BFF IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8B0774DB IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] F72B0875 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF57F303 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] A4507015 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 74F68500 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] FC4D8B53 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] A47084BA IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 85D6FF00 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 684575C0 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] 00008000 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 15FF5350 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] [00A45078] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] 5D3936EB IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] BB31740C IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] [00A47140] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 7C15FF53 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] BE00A450 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] [00A47194] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] C085068B IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] 4D8B0774 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] FFD78B08 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 83C68BD0 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 583D04EE IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] 7500A471 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 15FF53E7 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] [00A45034] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 5FF0658D IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C2C95B5E IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 8B550008 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] B8EC81EC IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 53000008 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 0B6A5756 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 5420BE59 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] BD8D00A4 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] FFFFFF4C IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 526AA5F3 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] 858DFF33 IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] FFFFFF78 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1628] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [728DF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\System32\rundll32.exe[2140] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2140] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2140] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2140] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2140] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2188] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2188] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2188] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2188] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2996] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [728DF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\ACPI_HAL \Device\00000056 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 1.0.15 ----