GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-31 18:51:32 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ESBO Running: gmer.exe; Driver: C:\Users\BLACKR~1\AppData\Local\Temp\kxliypod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B4FDFC4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x867B1510] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B500456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B5004AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B5005C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B5003AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B5004FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B500400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B500572] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B4FDFE8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x867B15C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B4FDDB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B4FE00C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B5009BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B4FEAA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B500486] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B5004D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B5005EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B5003D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B50053E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B50042E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B50059C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x867B1658] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B4FE96A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B4FE030] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B4FE054] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B4FDE0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B4FDF48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B4FDF24] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B4FDF6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B4FE078] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x867C57A2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81A7AA49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81AB44D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 81ABB500 4 Bytes [C4, DF, 4F, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 81ABB528 4 Bytes [10, 15, 7B, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 81ABB5DC 8 Bytes [56, 04, 50, 8B, AE, 04, 50, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 81ABB5E8 4 Bytes [C4, 05, 50, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 81ABB604 4 Bytes [AC, 03, 50, 8B] {LODSB ; ADD EDX, [EAX-0x75]} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81C49C88 5 Bytes JMP 867C269C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 81C622B0 5 Bytes JMP 867C4174 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 81C773F7 4 Bytes CALL 8B4FF025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 81C9120E 4 Bytes CALL 8B4FF03B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 81D1B10E 7 Bytes JMP 867C57A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x865A2B2E] .text USBPORT.SYS!DllUnload 8D0A0DB9 5 Bytes JMP 854291C8 .text user32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes [E9, 0A, 5C, FD, 89] {JMP 0xffffffff89fd5c0f} .text user32.dll!UnhookWinEvent 7623B750 5 Bytes [E9, A7, 4C, FD, 89] {JMP 0xffffffff89fd4cac} .text user32.dll!SetWindowsHookExW 7623E30C 5 Bytes [E9, F3, 24, FD, 89] {JMP 0xffffffff89fd24f8} .text user32.dll!SetWinEventHook 762424DC 5 Bytes [E9, 17, DD, FC, 89] {JMP 0xffffffff89fcdd1c} .text user32.dll!SetWindowsHookExA 76266D0C 5 Bytes [E9, EF, 98, FA, 89] {JMP 0xffffffff89fa98f4} .text kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[428] KERNEL32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[448] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[504] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[504] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[504] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[504] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wininit.exe[504] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\wininit.exe[504] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\wininit.exe[504] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wininit.exe[504] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\csrss.exe[512] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\services.exe[560] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[560] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[560] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[592] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[592] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[592] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[592] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[592] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[592] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[592] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[592] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[620] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[620] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[620] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\lsm.exe[628] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[628] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[628] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[740] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[740] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[740] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[828] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[828] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[892] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[892] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[892] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[892] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\svchost.exe[892] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 002003FC .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\svchost.exe[956] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[956] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[956] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[956] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00340A08 .text C:\Windows\System32\svchost.exe[956] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 003403FC .text C:\Windows\System32\svchost.exe[956] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00340804 .text C:\Windows\System32\svchost.exe[956] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 003401F8 .text C:\Windows\System32\svchost.exe[956] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00340600 .text C:\Windows\system32\svchost.exe[980] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[980] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[980] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00BB0A08 .text C:\Windows\system32\svchost.exe[980] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 00BB03FC .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00BB0804 .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 00BB01F8 .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00BB0600 .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1148] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00610A08 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 006103FC .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00610804 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 006101F8 .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00610600 .text C:\Windows\system32\svchost.exe[1276] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1276] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1276] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1364] kernel32.dll!SetUnhandledExceptionFilter 7578F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1364] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1748] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1748] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1748] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001403FC .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\svchost.exe[1776] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1776] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1776] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1776] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00350A08 .text C:\Windows\system32\svchost.exe[1776] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 003503FC .text C:\Windows\system32\svchost.exe[1776] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00350804 .text C:\Windows\system32\svchost.exe[1776] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 003501F8 .text C:\Windows\system32\svchost.exe[1776] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00350600 .text C:\Windows\System32\AsusService.exe[1872] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000503FC .text C:\Windows\System32\AsusService.exe[1872] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000501F8 .text C:\Windows\System32\AsusService.exe[1872] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\AsusService.exe[1872] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00070A08 .text C:\Windows\System32\AsusService.exe[1872] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 000703FC .text C:\Windows\System32\AsusService.exe[1872] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00070804 .text C:\Windows\System32\AsusService.exe[1872] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 000701F8 .text C:\Windows\System32\AsusService.exe[1872] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1900] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1920] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[1920] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[1920] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1960] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1960] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1960] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2032] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2032] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2032] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\NOTEPAD.EXE[2288] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\NOTEPAD.EXE[2288] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\NOTEPAD.EXE[2288] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\NOTEPAD.EXE[2288] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\NOTEPAD.EXE[2288] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001403FC .text C:\Windows\system32\NOTEPAD.EXE[2288] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\NOTEPAD.EXE[2288] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\NOTEPAD.EXE[2288] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00140600 .text C:\Windows\System32\svchost.exe[2292] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[2292] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[2292] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[2292] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\svchost.exe[2292] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 002003FC .text C:\Windows\System32\svchost.exe[2292] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\svchost.exe[2292] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\svchost.exe[2292] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00200600 .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00210A08 .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 002103FC .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00210804 .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 002101F8 .text C:\Users\BLACKR~1\AppData\Local\Temp\Rar$EXa0.265\gmer.exe[2328] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00210600 .text C:\Windows\system32\taskhost.exe[2384] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2384] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2384] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2384] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\taskhost.exe[2384] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 000E03FC .text C:\Windows\system32\taskhost.exe[2384] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\taskhost.exe[2384] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\taskhost.exe[2384] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 000E0600 .text C:\Windows\system32\Dwm.exe[2452] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[2452] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[2452] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00090A08 .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 000903FC .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00090804 .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 000901F8 .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00090600 .text C:\Windows\Explorer.EXE[2496] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[2496] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[2496] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\Explorer.EXE[2496] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00110A08 .text C:\Windows\Explorer.EXE[2496] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001103FC .text C:\Windows\Explorer.EXE[2496] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00110804 .text C:\Windows\Explorer.EXE[2496] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001101F8 .text C:\Windows\Explorer.EXE[2496] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00110600 .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001F03FC .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 001F0804 .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\ASUS\SHE\SuperHybridEngine.exe[2684] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 001F0600 .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001F03FC .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 001F0804 .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe[2696] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Elantech\ETDCtrl.exe[2712] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Program Files\Elantech\ETDCtrl.exe[2712] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Program Files\Elantech\ETDCtrl.exe[2712] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[2712] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Elantech\ETDCtrl.exe[2712] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001003FC .text C:\Program Files\Elantech\ETDCtrl.exe[2712] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00100804 .text C:\Program Files\Elantech\ETDCtrl.exe[2712] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001001F8 .text C:\Program Files\Elantech\ETDCtrl.exe[2712] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00100600 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2720] KERNEL32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001F03FC .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 001F0804 .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\EeePC\HotkeyService\HotkeyService.exe[2740] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 001F0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2748] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 002003FC .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00200804 .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 002001F8 .text C:\Program Files\ASUS\CapsHook\CapsHook.exe[2756] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\hkcmd.exe[2784] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[2784] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[2784] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[2784] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00190A08 .text C:\Windows\System32\hkcmd.exe[2784] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001903FC .text C:\Windows\System32\hkcmd.exe[2784] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00190804 .text C:\Windows\System32\hkcmd.exe[2784] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001901F8 .text C:\Windows\System32\hkcmd.exe[2784] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00190600 .text C:\Windows\System32\igfxpers.exe[2792] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[2792] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[2792] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[2792] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\igfxpers.exe[2792] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 002003FC .text C:\Windows\System32\igfxpers.exe[2792] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\igfxpers.exe[2792] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\igfxpers.exe[2792] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\igfxsrvc.exe[2980] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[2980] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[2980] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[2980] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\igfxsrvc.exe[2980] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\igfxsrvc.exe[2980] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\igfxsrvc.exe[2980] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\igfxsrvc.exe[2980] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\wbem\wmiprvse.exe[3028] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[3028] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3028] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3028] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3028] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001003FC .text C:\Windows\system32\wbem\wmiprvse.exe[3028] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\wbem\wmiprvse.exe[3028] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3028] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00100600 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 002F03FC .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 002F0804 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3076] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 002F0600 .text C:\Windows\system32\SearchIndexer.exe[3232] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3232] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3232] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3232] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3232] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3232] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3232] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3232] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[3432] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3432] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3432] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3640] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 00100600 .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] ntdll.dll!LdrUnloadDll 7707C86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 65675B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 757893D6 7 Bytes JMP 658B7B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] kernel32.dll!QueryPerformanceCounter + 13 7578C435 7 Bytes JMP 658B7B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] kernel32.dll!LoadAppInitDlls + 355 7578F4F6 7 Bytes JMP 6567EF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] kernel32.dll!GetBinaryTypeW + 70 757A69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] USER32.dll!UnhookWindowsHookEx 7623ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] USER32.dll!UnhookWinEvent 7623B750 5 Bytes JMP 000F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] USER32.dll!SetWindowsHookExW 7623E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] USER32.dll!SetWinEventHook 762424DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] USER32.dll!SetWindowsHookExA 76266D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[4000] GDI32.dll!GetViewportOrgEx + 26C 75F7884B 7 Bytes JMP 658B7AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [864AD730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [864ADF12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [864AE232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [864AE0F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [864AD914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73CD24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73CB562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73CB56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73CD2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73CC85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73CC4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73CC5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73CC51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73CC6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73CC8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73CC8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73CC90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73CCE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2496] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73CC4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 841D81E8 Device \FileSystem\fastfat \FatCdrom A4AC31E8 Device \Driver\usbuhci \Device\USBPDO-0 854281E8 Device \Driver\usbuhci \Device\USBPDO-1 854281E8 Device \Driver\usbuhci \Device\USBPDO-2 854281E8 Device \Driver\usbuhci \Device\USBPDO-3 854281E8 Device \Driver\usbehci \Device\USBPDO-4 8542B430 AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\iaStor \Device\Ide\iaStor0 [86881C10] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [86881C10] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 852C7430 Device \Driver\NetBT \Device\NetBT_Tcpip_{C15AC95A-41B1-4F42-BE4D-E33A79B07CAE} 852C7430 Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{D662855B-AFC5-4B93-9E27-5394F7C8EC61} 852C7430 AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbuhci \Device\USBFDO-0 854281E8 Device \Driver\usbuhci \Device\USBFDO-1 854281E8 Device \Driver\usbuhci \Device\USBFDO-2 854281E8 Device \Driver\usbuhci \Device\USBFDO-3 854281E8 Device \Driver\usbehci \Device\USBFDO-4 8542B430 Device \FileSystem\fastfat \Fat A4AC31E8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0x06 0x19 0x2D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0x06 0x19 0x2D ... ---- EOF - GMER 1.0.15 ----