GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-31 01:23:35 Windows 6.1.7601 Service Pack 1 Running: j62fegyg.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kwrdipog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9101C708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91B327C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9101D11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x91027F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x91027F74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x910280F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x91027E96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x91B32BBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x91027EDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x9101D310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x9101D498] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x910280B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x9101DA9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9101C756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91B328AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9101C3BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9101C7A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x91021456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9101E464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x91027F52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x91027F96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9102811A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x91027EBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9102803A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x91027F06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x910280D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91B32A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9101E330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x9101E06C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9101C7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9101C840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x9101D91C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9101C448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9101C5F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9101C59E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x9101DBFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x9101DD5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9101C668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x91B32AF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x9101D794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9101C88E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x91B32962] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91B4A966] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8348C3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834C5D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 834CCD80 4 Bytes [08, C7, 01, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 834CCDA8 4 Bytes [C8, 27, B3, 91] {ENTER 0xb327, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 834CCE08 4 Bytes [1C, D1, 01, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 834CCE5C 8 Bytes [28, 7F, 02, 91, 74, 7F, 02, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 834CCE68 4 Bytes [F6, 80, 02, 91] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83659C64 5 Bytes JMP 91B47806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 83672290 5 Bytes JMP 91B49338 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 836873D7 4 Bytes CALL 9101EB07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 836A11E0 4 Bytes CALL 9101EB1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8372B11A 7 Bytes JMP 91B4A96A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BAA5A000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BAA5A123 629 Bytes [55, A5, BA, FE, 05, 34, 55, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 BAA5A399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F BAA5A3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B BAA5A4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... .text user32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes [E9, 0A, 5C, 29, 8A] {JMP 0xffffffff8a295c0f} .text user32.dll!UnhookWinEvent 75F7B750 5 Bytes [E9, A7, 4C, 29, 8A] {JMP 0xffffffff8a294cac} .text user32.dll!SetWindowsHookExW 75F7E30C 5 Bytes [E9, F3, 24, 29, 8A] {JMP 0xffffffff8a2924f8} .text user32.dll!SetWinEventHook 75F824DC 5 Bytes [E9, 17, DD, 28, 8A] {JMP 0xffffffff8a28dd1c} .text user32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes [E9, EF, 98, 26, 8A] {JMP 0xffffffff8a2698f4} .text kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\windows\system32\wbem\unsecapp.exe[200] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\windows\system32\wbem\unsecapp.exe[200] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\windows\system32\wbem\unsecapp.exe[200] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\wbem\unsecapp.exe[200] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00180A08 .text C:\windows\system32\wbem\unsecapp.exe[200] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001803FC .text C:\windows\system32\wbem\unsecapp.exe[200] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00180804 .text C:\windows\system32\wbem\unsecapp.exe[200] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001801F8 .text C:\windows\system32\wbem\unsecapp.exe[200] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00180600 .text C:\windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\wininit.exe[484] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\csrss.exe[492] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\services.exe[540] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\lsass.exe[572] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1684] kernel32.dll!SetUnhandledExceptionFilter 75A3F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1684] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1700] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1760] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\upeksrvc.exe[1800] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\System32\spoolsv.exe[1892] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text ... .text C:\windows\System32\IgrsSvcs.exe[2112] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\windows\System32\IgrsSvcs.exe[2112] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\windows\System32\IgrsSvcs.exe[2112] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001003FC .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00100804 .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001001F8 .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2372] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00100600 .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000E03FC .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000E01F8 .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00290A08 .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002903FC .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00290804 .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002901F8 .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2436] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00290600 .text C:\windows\system32\svchost.exe[2464] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[2464] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[2464] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\taskhost.exe[2692] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000503FC .text C:\windows\system32\taskhost.exe[2692] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000501F8 .text C:\windows\system32\taskhost.exe[2692] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\taskhost.exe[2692] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00070A08 .text C:\windows\system32\taskhost.exe[2692] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 000703FC .text C:\windows\system32\taskhost.exe[2692] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00070804 .text C:\windows\system32\taskhost.exe[2692] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 000701F8 .text C:\windows\system32\taskhost.exe[2692] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00070600 .text C:\windows\system32\Dwm.exe[2700] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\windows\system32\Dwm.exe[2700] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\windows\system32\Dwm.exe[2700] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\Dwm.exe[2700] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 000F0A08 .text C:\windows\system32\Dwm.exe[2700] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 000F03FC .text C:\windows\system32\Dwm.exe[2700] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 000F0804 .text C:\windows\system32\Dwm.exe[2700] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 000F01F8 .text C:\windows\system32\Dwm.exe[2700] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001503FC .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001501F8 .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002F03FC .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 002F0804 .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2824] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 002F0600 .text C:\windows\servicing\TrustedInstaller.exe[2888] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000903FC .text C:\windows\servicing\TrustedInstaller.exe[2888] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000901F8 .text C:\windows\servicing\TrustedInstaller.exe[2888] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\servicing\TrustedInstaller.exe[2888] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00130A08 .text C:\windows\servicing\TrustedInstaller.exe[2888] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001303FC .text C:\windows\servicing\TrustedInstaller.exe[2888] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00130804 .text C:\windows\servicing\TrustedInstaller.exe[2888] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001301F8 .text C:\windows\servicing\TrustedInstaller.exe[2888] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00130600 .text C:\windows\Explorer.EXE[2900] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\windows\Explorer.EXE[2900] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\windows\Explorer.EXE[2900] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\Explorer.EXE[2900] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00110A08 .text C:\windows\Explorer.EXE[2900] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001103FC .text C:\windows\Explorer.EXE[2900] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00110804 .text C:\windows\Explorer.EXE[2900] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001101F8 .text C:\windows\Explorer.EXE[2900] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00110600 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001503FC .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001501F8 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001F03FC .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2944] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 001F0600 .text C:\windows\system32\SearchIndexer.exe[3148] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\windows\system32\SearchIndexer.exe[3148] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\windows\system32\SearchIndexer.exe[3148] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\SearchIndexer.exe[3148] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00100A08 .text C:\windows\system32\SearchIndexer.exe[3148] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001003FC .text C:\windows\system32\SearchIndexer.exe[3148] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00100804 .text C:\windows\system32\SearchIndexer.exe[3148] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001001F8 .text C:\windows\system32\SearchIndexer.exe[3148] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00100600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002003FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00200804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002001F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3468] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00200600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3524] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 001F0600 .text C:\windows\system32\wbem\wmiprvse.exe[3684] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000B03FC .text C:\windows\system32\wbem\wmiprvse.exe[3684] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000B01F8 .text C:\windows\system32\wbem\wmiprvse.exe[3684] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00150A08 .text C:\windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001503FC .text C:\windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00150804 .text C:\windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001501F8 .text C:\windows\system32\wbem\wmiprvse.exe[3684] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00150600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3704] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00180600 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002003FC .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00200804 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002001F8 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3800] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00200600 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001F03FC .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3820] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002003FC .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00200804 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002001F8 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3868] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\igfxtray.exe[3892] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxtray.exe[3892] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxtray.exe[3892] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Windows\System32\igfxtray.exe[3892] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00190A08 .text C:\Windows\System32\igfxtray.exe[3892] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001903FC .text C:\Windows\System32\igfxtray.exe[3892] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00190804 .text C:\Windows\System32\igfxtray.exe[3892] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001901F8 .text C:\Windows\System32\igfxtray.exe[3892] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00190600 .text C:\Windows\System32\hkcmd.exe[3900] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[3900] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[3900] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[3900] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\hkcmd.exe[3900] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002003FC .text C:\Windows\System32\hkcmd.exe[3900] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\hkcmd.exe[3900] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\hkcmd.exe[3900] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\igfxpers.exe[3908] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[3908] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[3908] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[3908] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00310A08 .text C:\Windows\System32\igfxpers.exe[3908] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 003103FC .text C:\Windows\System32\igfxpers.exe[3908] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00310804 .text C:\Windows\System32\igfxpers.exe[3908] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 003101F8 .text C:\Windows\System32\igfxpers.exe[3908] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00310600 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001703FC .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001701F8 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002003FC .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00200804 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002001F8 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00200600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3924] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00310A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 003103FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00310804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 003101F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3988] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00310600 .text C:\Windows\System32\rundll32.exe[4012] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[4012] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[4012] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[4012] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[4012] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[4012] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[4012] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[4012] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00100600 .text C:\Windows\System32\rundll32.exe[4028] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[4028] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[4028] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[4028] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00090A08 .text C:\Windows\System32\rundll32.exe[4028] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 000903FC .text C:\Windows\System32\rundll32.exe[4028] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00090804 .text C:\Windows\System32\rundll32.exe[4028] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 000901F8 .text C:\Windows\System32\rundll32.exe[4028] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00090600 .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001D03FC .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001D01F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00280A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002803FC .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00280804 .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002801F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[4052] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00280600 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001503FC .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001501F8 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002F03FC .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 002F0804 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[4136] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 002F0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 60B8B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75A393D6 7 Bytes JMP 60E3B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] kernel32.dll!QueryPerformanceCounter + 13 75A3C435 7 Bytes JMP 60E3B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00080A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 000803FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00080804 .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 000801F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00080600 .text C:\Program Files\Mozilla Firefox\firefox.exe[4216] GDI32.dll!GetViewportOrgEx + 26C 75BE884B 7 Bytes JMP 60E3B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4252] KERNEL32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 001603FC .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 001601F8 .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00210A08 .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002103FC .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00210804 .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002101F8 .text C:\Users\Patryk\Downloads\j62fegyg.exe[4340] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00210600 .text C:\windows\system32\svchost.exe[4344] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000A03FC .text C:\windows\system32\svchost.exe[4344] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000A01F8 .text C:\windows\system32\svchost.exe[4344] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[4748] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000B03FC .text C:\windows\system32\wbem\wmiprvse.exe[4748] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000B01F8 .text C:\windows\system32\wbem\wmiprvse.exe[4748] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[4748] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00290A08 .text C:\windows\system32\wbem\wmiprvse.exe[4748] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 002903FC .text C:\windows\system32\wbem\wmiprvse.exe[4748] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00290804 .text C:\windows\system32\wbem\wmiprvse.exe[4748] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 002901F8 .text C:\windows\system32\wbem\wmiprvse.exe[4748] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00290600 .text C:\windows\system32\sppsvc.exe[5564] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000703FC .text C:\windows\system32\sppsvc.exe[5564] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000701F8 .text C:\windows\system32\sppsvc.exe[5564] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\system32\sppsvc.exe[5564] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 000B0A08 .text C:\windows\system32\sppsvc.exe[5564] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 000B03FC .text C:\windows\system32\sppsvc.exe[5564] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 000B0804 .text C:\windows\system32\sppsvc.exe[5564] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 000B01F8 .text C:\windows\system32\sppsvc.exe[5564] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 000B0600 .text C:\windows\System32\svchost.exe[5608] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\windows\System32\svchost.exe[5608] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\windows\System32\svchost.exe[5608] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\windows\System32\svchost.exe[5608] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00130A08 .text C:\windows\System32\svchost.exe[5608] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001303FC .text C:\windows\System32\svchost.exe[5608] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00130804 .text C:\windows\System32\svchost.exe[5608] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001301F8 .text C:\windows\System32\svchost.exe[5608] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00130600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] ntdll.dll!LdrUnloadDll 770AC86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] ntdll.dll!LdrLoadDll 770B223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] kernel32.dll!GetBinaryTypeW + 70 75A569F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] USER32.dll!UnhookWindowsHookEx 75F7ADF9 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] USER32.dll!UnhookWinEvent 75F7B750 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] USER32.dll!SetWindowsHookExW 75F7E30C 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] USER32.dll!SetWinEventHook 75F824DC 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5660] USER32.dll!SetWindowsHookExA 75FA6D0C 5 Bytes JMP 00140600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1684] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [710CF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] @ C:\windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[3916] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3924] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [710CF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\System32\rundll32.exe[4012] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4012] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4012] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4012] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4028] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4028] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4028] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4028] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750DFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c7b2c8681 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c7b2c8681 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C619734D-AA16-467C-84C1-25F9F3368CFB} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C619734D-AA16-467C-84C1-25F9F3368CFB} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C619734D-AA16-467C-84C1-25F9F3368CFB}@Path \Microsoft\Windows Defender\MP Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C619734D-AA16-467C-84C1-25F9F3368CFB}@Hash 0x80 0x59 0x77 0xB0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C619734D-AA16-467C-84C1-25F9F3368CFB}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C619734D-AA16-467C-84C1-25F9F3368CFB}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {C619734D-AA16-467C-84C1-25F9F3368CFB} ---- EOF - GMER 1.0.15 ----