GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-01 17:36:55 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000064 WDC_WD32 rev.01.0 Running: mu4ekhe8.exe; Driver: C:\Users\Asia\AppData\Local\Temp\kxliypow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x90849708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x919A17C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9084A11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x90854F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90854F74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x908550F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90854E96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x919A1BBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x90854EDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x9084A310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x9084A498] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x908550B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x9084AA9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x90849756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x919A18AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x908493BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x908497A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9084E456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9084B464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x90854F52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90854F96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9085511A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90854EBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9085503A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x90854F06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x908550D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x919A1A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9084B330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x9084B06C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x908497F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x90849840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x9084A91C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x90849448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x908495F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9084959E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x9084ABFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x9084AD5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x90849668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x919A1AF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x9084A794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9084988E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x919A1962] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x919B9966] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E8FA49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC94D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82ED0500 4 Bytes [08, 97, 84, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82ED0528 4 Bytes [C8, 17, 9A, 91] {ENTER 0x9a17, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82ED0588 4 Bytes [1C, A1, 84, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82ED05DC 8 Bytes [28, 4F, 85, 90, 74, 4F, 85, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82ED05E8 4 Bytes [F6, 50, 85, 90] {NOT BYTE [EAX-0x7b]; NOP } .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8305EC88 5 Bytes JMP 919B6806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 830772B0 5 Bytes JMP 919B8338 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8308C3F7 4 Bytes CALL 9084BB07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 830A620E 4 Bytes CALL 9084BB1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8313010E 7 Bytes JMP 919B996A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92A31000, 0x35356D, 0xE8000020] .text kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\SearchIndexer.exe[344] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[344] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[344] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[344] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[344] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[344] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[344] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[344] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\csrss.exe[480] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[540] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\services.exe[588] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\lsm.exe[620] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[728] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[728] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[728] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00500A08 .text C:\Windows\system32\svchost.exe[728] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 005003FC .text C:\Windows\system32\svchost.exe[728] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00500804 .text C:\Windows\system32\svchost.exe[728] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 005001F8 .text C:\Windows\system32\svchost.exe[728] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00500600 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[860] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\atiesrxx.exe[908] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[1128] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[1128] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[1128] kernel32.dll!CreateThread 7617DCC2 5 Bytes JMP 6DE175E3 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!EnableWindow 77658D02 5 Bytes JMP 6DE59EBC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!CallNextHookEx 7765ABE1 5 Bytes JMP 6DE77FDF C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 6DE9ED00 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 000803FC .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!DefWindowProcA 7765BB1C 7 Bytes JMP 6DE1980D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!CreateWindowExA 7765BF40 5 Bytes JMP 6DE23643 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 6DE525B4 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!CreateWindowExW 7765EC7C 5 Bytes JMP 6DE803CF C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 000801F8 .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!DefWindowProcW 7766507D 7 Bytes JMP 6DE78042 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!DialogBoxParamW 77673B9B 5 Bytes JMP 6DDB1893 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!DialogBoxIndirectParamW 77683B7F 5 Bytes JMP 6DFA902E C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00080600 .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!DialogBoxParamA 7769CF42 5 Bytes JMP 6DFA8FC9 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!DialogBoxIndirectParamA 7769D274 5 Bytes JMP 6DFA9093 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!MessageBoxIndirectA 776AE869 5 Bytes JMP 6DFA8F50 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!MessageBoxIndirectW 776AE963 5 Bytes JMP 6DFA8ED7 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!MessageBoxExA 776AE9C9 5 Bytes JMP 6DFA8E73 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] USER32.dll!MessageBoxExW 776AE9ED 5 Bytes JMP 6DFA8E0F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1128] ole32.dll!OleLoadFromStream 778E6143 5 Bytes JMP 6DFA97FC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[1152] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 001603FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 001601F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00340A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 003403FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00340804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 003401F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1428] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00340600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] kernel32.dll!SetUnhandledExceptionFilter 7617F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1496] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Program Files\Sony\ISB Utility\ISBMgr.exe[1504] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 .text C:\Windows\System32\spoolsv.exe[1624] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1632] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1632] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1632] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1632] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00180A08 .text C:\Windows\System32\svchost.exe[1632] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001803FC .text C:\Windows\System32\svchost.exe[1632] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00180804 .text C:\Windows\System32\svchost.exe[1632] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001801F8 .text C:\Windows\System32\svchost.exe[1632] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00180600 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1784] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[1820] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1868] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1912] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text ... .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2384] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 001F0600 .text C:\Windows\System32\rundll32.exe[2544] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2544] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2544] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2544] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[2544] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[2544] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[2544] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[2544] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2656] KERNEL32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00110A08 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001103FC .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00110804 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001101F8 .text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3004] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00110600 .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[3068] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00760A08 .text C:\Windows\system32\svchost.exe[3068] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 007603FC .text C:\Windows\system32\svchost.exe[3068] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00760804 .text C:\Windows\system32\svchost.exe[3068] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 007601F8 .text C:\Windows\system32\svchost.exe[3068] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00760600 .text C:\Windows\system32\DllHost.exe[3120] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000503FC .text C:\Windows\system32\DllHost.exe[3120] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\DllHost.exe[3120] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\DllHost.exe[3120] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\DllHost.exe[3120] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 000E03FC .text C:\Windows\system32\DllHost.exe[3120] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\DllHost.exe[3120] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\DllHost.exe[3120] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 000E0600 .text C:\Windows\system32\ctfmon.exe[3172] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\ctfmon.exe[3172] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\ctfmon.exe[3172] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\ctfmon.exe[3172] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\ctfmon.exe[3172] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\ctfmon.exe[3172] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\ctfmon.exe[3172] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\ctfmon.exe[3172] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 000F03FC .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe[3176] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 000F0600 .text c:\program files\windows defender\MpCmdRun.exe[3216] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[3220] KERNEL32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 004E0A08 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 004E03FC .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 004E0804 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 004E01F8 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[3240] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 004E0600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3280] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00180600 .text C:\Windows\servicing\TrustedInstaller.exe[3316] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000503FC .text C:\Windows\servicing\TrustedInstaller.exe[3316] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000501F8 .text C:\Windows\servicing\TrustedInstaller.exe[3316] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[3316] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Windows\servicing\TrustedInstaller.exe[3316] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Windows\servicing\TrustedInstaller.exe[3316] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Windows\servicing\TrustedInstaller.exe[3316] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Windows\servicing\TrustedInstaller.exe[3316] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 .text C:\Program Files\Internet Explorer\iexplore.exe[3336] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000503FC .text C:\Program Files\Internet Explorer\iexplore.exe[3336] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000501F8 .text C:\Program Files\Internet Explorer\iexplore.exe[3336] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!EnableWindow 77658D02 5 Bytes JMP 6DE59EBC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00080A08 .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 000803FC .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00080804 .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 000801F8 .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamW 77673B9B 5 Bytes JMP 6DDB1893 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamW 77683B7F 5 Bytes JMP 6DFA902E C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00080600 .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamA 7769CF42 5 Bytes JMP 6DFA8FC9 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamA 7769D274 5 Bytes JMP 6DFA9093 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectA 776AE869 5 Bytes JMP 6DFA8F50 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectW 776AE963 5 Bytes JMP 6DFA8ED7 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxExA 776AE9C9 5 Bytes JMP 6DFA8E73 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3336] USER32.dll!MessageBoxExW 776AE9ED 5 Bytes JMP 6DFA8E0F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Windows\system32\csrss.exe[3504] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[3528] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[3528] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[3528] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[3528] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[3528] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[3528] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[3528] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[3528] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\atieclxx.exe[3628] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 001603FC .text C:\Windows\system32\atieclxx.exe[3628] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\atieclxx.exe[3628] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[3628] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\atieclxx.exe[3628] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\atieclxx.exe[3628] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\atieclxx.exe[3628] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\atieclxx.exe[3628] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 001F0600 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3636] KERNEL32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 001603FC .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 001601F8 .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 002003FC .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00200804 .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 002001F8 .text C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3676] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\taskhost.exe[3744] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000903FC .text C:\Windows\system32\taskhost.exe[3744] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000901F8 .text C:\Windows\system32\taskhost.exe[3744] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[3744] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00120A08 .text C:\Windows\system32\taskhost.exe[3744] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001203FC .text C:\Windows\system32\taskhost.exe[3744] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00120804 .text C:\Windows\system32\taskhost.exe[3744] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001201F8 .text C:\Windows\system32\taskhost.exe[3744] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00120600 .text C:\Windows\system32\Dwm.exe[3932] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\Dwm.exe[3932] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\Dwm.exe[3932] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[3932] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00130A08 .text C:\Windows\system32\Dwm.exe[3932] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001303FC .text C:\Windows\system32\Dwm.exe[3932] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00130804 .text C:\Windows\system32\Dwm.exe[3932] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001301F8 .text C:\Windows\system32\Dwm.exe[3932] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00130600 .text C:\Windows\Explorer.EXE[4020] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[4020] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[4020] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\Explorer.EXE[4020] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00110A08 .text C:\Windows\Explorer.EXE[4020] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001103FC .text C:\Windows\Explorer.EXE[4020] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00110804 .text C:\Windows\Explorer.EXE[4020] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001101F8 .text C:\Windows\Explorer.EXE[4020] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00110600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000A03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000A01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\AUDIODG.EXE[4448] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Users\Asia\Desktop\Help\mu4ekhe8.exe[4488] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[4952] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\WUDFHost.exe[4952] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\WUDFHost.exe[4952] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[4952] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\WUDFHost.exe[4952] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Windows\System32\WUDFHost.exe[4952] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\WUDFHost.exe[4952] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\WUDFHost.exe[4952] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 .text C:\Windows\notepad.exe[5204] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000603FC .text C:\Windows\notepad.exe[5204] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000601F8 .text C:\Windows\notepad.exe[5204] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\notepad.exe[5204] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Windows\notepad.exe[5204] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Windows\notepad.exe[5204] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Windows\notepad.exe[5204] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Windows\notepad.exe[5204] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\wuauclt.exe[5660] ntdll.dll!LdrUnloadDll 77CFC86E 5 Bytes JMP 000703FC .text C:\Windows\system32\wuauclt.exe[5660] ntdll.dll!LdrLoadDll 77D0223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\wuauclt.exe[5660] kernel32.dll!GetBinaryTypeW + 70 761969F4 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[5660] USER32.dll!UnhookWindowsHookEx 7765ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\wuauclt.exe[5660] USER32.dll!UnhookWinEvent 7765B750 5 Bytes JMP 001003FC .text C:\Windows\system32\wuauclt.exe[5660] USER32.dll!SetWindowsHookExW 7765E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\wuauclt.exe[5660] USER32.dll!SetWinEventHook 776624DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\wuauclt.exe[5660] USER32.dll!SetWindowsHookExA 77686D0C 5 Bytes JMP 00100600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71E8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[1496] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71E8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\System32\rundll32.exe[2544] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75D6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2544] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75D6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2544] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75D6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2544] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75D6FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8daca55c9 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8daca55c9@1886ac304fdb 0xA4 0x88 0x18 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8daca55c9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8daca55c9@1886ac304fdb 0xA4 0x88 0x18 0x1F ... ---- EOF - GMER 1.0.15 ----