GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-18 20:11:40 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2320BH_G2 rev.00000009 298,09GB Running: qs0j78zu.exe; Driver: C:\Users\wzur\AppData\Local\Temp\aftcyaob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8F483FC4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9384D510] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8F486456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8F4864AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8F4865C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8F4863AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8F4864FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8F486400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8F486572] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8F483FE8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9384D5C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8F483DB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8F48400C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x92A2614A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x92A2621A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8F486486] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8F4864D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8F4865EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8F4863D8] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x92A25D7C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8F48653E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8F48642E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8F48659C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x9384D658] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8F48496A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8F484030] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8F484054] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8F483E0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8F483F48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8F483F24] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendProcess [0x92A25F6A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendThread [0x92A26000] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8F483F6C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x92A25E32] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x92A25ECE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8F484078] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x92A2609C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x938617A2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82C5F5C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C84092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 244 82C8B884 4 Bytes [C4, 3F, 48, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 26C 82C8B8AC 4 Bytes [10, D5, 84, 93] .text ntkrnlpa.exe!RtlSidHashLookup + 320 82C8B960 8 Bytes [56, 64, 48, 8F, AE, 64, 48, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 32C 82C8B96C 4 Bytes [C4, 65, 48, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 348 82C8B988 4 Bytes [AC, 63, 48, 8F] {LODSB ; ARPL [EAX-0x71], CX} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E253BE 5 Bytes JMP 9385E69C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82E3F0CD 5 Bytes JMP 93860174 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E8975A 1 Byte [C6] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E8975A 4 Bytes CALL 8F485025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E9186B 1 Byte [CB] PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E9186B 4 Bytes CALL 8F48503B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EF74FE 7 Bytes JMP 938617A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text ataport.SYS!AtaPortGetScatterGatherList + B44 839BD44E 1 Byte [CC] {INT 3 } .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9422B000, 0x2D5378, 0xE8000020] .text win32k.sys!EngMultiByteToUnicodeN + 7220 8246A059 5 Bytes JMP 8F486F90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwned + 8A2B 824810B4 5 Bytes JMP 8F4870D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 3330 824B667D 5 Bytes JMP 8F486B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 18AB 824BD046 5 Bytes JMP 8F486FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 79A7 824D95A0 5 Bytes JMP 8F486C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 868E 824DA287 5 Bytes JMP 8F486ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 927E 824DAE77 5 Bytes JMP 8F486DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateSemaphore + CA10 824F80BE 5 Bytes JMP 8F4869F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 6119 825196EA 5 Bytes JMP 8F486AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!STROBJ_bEnum + 9A22 82541C2E 5 Bytes JMP 8F486D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bPolyBezierTo + F8 8255D790 5 Bytes JMP 8F486D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + EB5 825979DF 5 Bytes JMP 8F486C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetCurrentGamma + 1C88 8259BA0A 5 Bytes JMP 8F486CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_cEnumStart + 6DC0 825A7485 5 Bytes JMP 8F486B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00120A08 .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001203FC .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00120804 .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001201F8 .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] USER32.dll!SetWindowsHookExA 76866DFA 3 Bytes JMP 00120600 .text C:\Program Files\AVG\AVG2013\avgidsagent.exe[332] USER32.dll!SetWindowsHookExA + 4 76866DFE 1 Byte [89] .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002103FC .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00210804 .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002101F8 .text C:\Program Files\AVG\AVG2013\avgwdsvc.exe[348] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00210600 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\csrss.exe[456] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[464] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[464] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\wininit.exe[464] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wininit.exe[464] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 000C03FC .text C:\Windows\system32\wininit.exe[464] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 000C0804 .text C:\Windows\system32\wininit.exe[464] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wininit.exe[464] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 000C0600 .text C:\Windows\system32\winlogon.exe[512] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[512] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[512] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\winlogon.exe[512] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[512] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[512] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[512] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[512] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 000C0600 .text C:\Windows\system32\services.exe[560] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[560] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[560] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[568] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\PnkBstrA.exe[572] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001503FC .text C:\Windows\system32\PnkBstrA.exe[572] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001501F8 .text C:\Windows\system32\PnkBstrA.exe[572] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\PnkBstrA.exe[572] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 001E0A08 .text C:\Windows\system32\PnkBstrA.exe[572] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001E03FC .text C:\Windows\system32\PnkBstrA.exe[572] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 001E0804 .text C:\Windows\system32\PnkBstrA.exe[572] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001E01F8 .text C:\Windows\system32\PnkBstrA.exe[572] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 001E0600 .text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[576] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[676] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[676] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[772] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[772] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[772] user32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 002C0A08 .text C:\Windows\system32\svchost.exe[772] user32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002C03FC .text C:\Windows\system32\svchost.exe[772] user32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 002C0804 .text C:\Windows\system32\svchost.exe[772] user32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002C01F8 .text C:\Windows\system32\svchost.exe[772] user32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 002C0600 .text C:\Program Files\AVG\AVG2013\avgui.exe[780] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Program Files\AVG\AVG2013\avgui.exe[780] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Program Files\AVG\AVG2013\avgui.exe[780] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\AVG\AVG2013\avgui.exe[780] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\AVG\AVG2013\avgui.exe[780] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002103FC .text C:\Program Files\AVG\AVG2013\avgui.exe[780] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00210804 .text C:\Program Files\AVG\AVG2013\avgui.exe[780] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002101F8 .text C:\Program Files\AVG\AVG2013\avgui.exe[780] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00210600 .text C:\Windows\system32\atiesrxx.exe[820] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001603FC .text C:\Windows\system32\atiesrxx.exe[820] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001601F8 .text C:\Windows\system32\atiesrxx.exe[820] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\atiesrxx.exe[820] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 001F0A08 .text C:\Windows\system32\atiesrxx.exe[820] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001F03FC .text C:\Windows\system32\atiesrxx.exe[820] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 001F0804 .text C:\Windows\system32\atiesrxx.exe[820] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001F01F8 .text C:\Windows\system32\atiesrxx.exe[820] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 001F0600 .text C:\Windows\System32\svchost.exe[896] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[896] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[896] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\System32\svchost.exe[896] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 002F0A08 .text C:\Windows\System32\svchost.exe[896] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002F03FC .text C:\Windows\System32\svchost.exe[896] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 002F0804 .text C:\Windows\System32\svchost.exe[896] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002F01F8 .text C:\Windows\System32\svchost.exe[896] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 002F0600 .text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00430A08 .text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 004303FC .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00430804 .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 004301F8 .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00430600 .text C:\Windows\system32\svchost.exe[988] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[988] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[988] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[988] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00E00A08 .text C:\Windows\system32\svchost.exe[988] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 00E003FC .text C:\Windows\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00E00804 .text C:\Windows\system32\svchost.exe[988] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 00E001F8 .text C:\Windows\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00E00600 .text C:\Windows\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1124] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 008D0A08 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 008D03FC .text C:\Windows\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 008D0804 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 008D01F8 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 008D0600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00220A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002203FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00220804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002201F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1168] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00220600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1208] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[1236] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 009C0A08 .text C:\Windows\system32\svchost.exe[1236] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 009C03FC .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 009C0804 .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 009C01F8 .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 009C0600 .text C:\Windows\system32\AUDIODG.EXE[1292] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] kernel32.dll!SetUnhandledExceptionFilter 767A3142 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1468] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001603FC .text C:\Windows\system32\atieclxx.exe[1468] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001601F8 .text C:\Windows\system32\atieclxx.exe[1468] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1468] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 001F0A08 .text C:\Windows\system32\atieclxx.exe[1468] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001F03FC .text C:\Windows\system32\atieclxx.exe[1468] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 001F0804 .text C:\Windows\system32\atieclxx.exe[1468] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001F01F8 .text C:\Windows\system32\atieclxx.exe[1468] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 001F0600 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001603FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001601F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00310A08 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 003103FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00310804 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 003101F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1532] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00310600 .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1876] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00100A08 .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001003FC .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExW 7684210A 3 Bytes JMP 00100804 .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExW + 4 7684210E 1 Byte [89] .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWinEventHook 7684507E 3 Bytes JMP 001001F8 .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWinEventHook + 4 76845082 1 Byte [89] .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00100600 .text C:\Windows\system32\taskeng.exe[1884] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[1884] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[1884] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1884] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[1884] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[1884] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[1884] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[1884] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[1912] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1912] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1912] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[1912] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00280A08 .text C:\Windows\system32\svchost.exe[1912] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002803FC .text C:\Windows\system32\svchost.exe[1912] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00280804 .text C:\Windows\system32\svchost.exe[1912] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002801F8 .text C:\Windows\system32\svchost.exe[1912] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00280600 .text C:\Windows\system32\rundll32.exe[1964] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000703FC .text C:\Windows\system32\rundll32.exe[1964] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000701F8 .text C:\Windows\system32\rundll32.exe[1964] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\rundll32.exe[1964] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00110A08 .text C:\Windows\system32\rundll32.exe[1964] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001103FC .text C:\Windows\system32\rundll32.exe[1964] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00110804 .text C:\Windows\system32\rundll32.exe[1964] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001101F8 .text C:\Windows\system32\rundll32.exe[1964] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00110600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!SetWindowsHookExW 7684210A 3 Bytes JMP 00100804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!SetWindowsHookExW + 4 7684210E 1 Byte [89] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!SetWinEventHook 7684507E 3 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!SetWinEventHook + 4 76845082 1 Byte [89] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00100600 .text C:\Program Files\AVG\AVG2013\avgnsx.exe[2164] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Program Files\AVG\AVG2013\avgnsx.exe[2164] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Program Files\AVG\AVG2013\avgnsx.exe[2164] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001603FC .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001601F8 .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00200A08 .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002003FC .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00200804 .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002001F8 .text C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2376] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00200600 .text C:\Windows\system32\Dwm.exe[2440] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000A03FC .text C:\Windows\system32\Dwm.exe[2440] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000A01F8 .text C:\Windows\system32\Dwm.exe[2440] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2440] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00130A08 .text C:\Windows\system32\Dwm.exe[2440] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001303FC .text C:\Windows\system32\Dwm.exe[2440] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00130804 .text C:\Windows\system32\Dwm.exe[2440] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001301F8 .text C:\Windows\system32\Dwm.exe[2440] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00130600 .text C:\Windows\system32\svchost.exe[2536] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[2536] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[2536] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\svchost.exe[2536] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 001F0A08 .text C:\Windows\system32\svchost.exe[2536] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 001F03FC .text C:\Windows\system32\svchost.exe[2536] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 001F0804 .text C:\Windows\system32\svchost.exe[2536] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 001F01F8 .text C:\Windows\system32\svchost.exe[2536] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 001F0600 .text C:\Windows\Explorer.EXE[2628] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[2628] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[2628] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\Explorer.EXE[2628] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00250A08 .text C:\Windows\Explorer.EXE[2628] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002503FC .text C:\Windows\Explorer.EXE[2628] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00250804 .text C:\Windows\Explorer.EXE[2628] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002501F8 .text C:\Windows\Explorer.EXE[2628] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00250600 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2976] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00210600 .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001603FC .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001601F8 .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00220A08 .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002203FC .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00220804 .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002201F8 .text C:\Users\wzur\Desktop\qs0j78zu.exe[3048] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00220600 .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 001603FC .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 001601F8 .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00300A08 .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 003003FC .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00300804 .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 003001F8 .text C:\Program Files\DAEMON Tools Lite\DTLite.exe[3236] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00300600 .text C:\Windows\system32\svchost.exe[3256] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3256] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3256] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 023B0A08 .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 023B03FC .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 023B0804 .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 023B01F8 .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 023B0600 .text C:\Windows\system32\SearchIndexer.exe[3424] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3424] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3424] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3424] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00090A08 .text C:\Windows\system32\SearchIndexer.exe[3424] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 000903FC .text C:\Windows\system32\SearchIndexer.exe[3424] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00090804 .text C:\Windows\system32\SearchIndexer.exe[3424] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 000901F8 .text C:\Windows\system32\SearchIndexer.exe[3424] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00090600 .text C:\Program Files\Opera\opera.exe[3644] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000603FC .text C:\Program Files\Opera\opera.exe[3644] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000601F8 .text C:\Program Files\Opera\opera.exe[3644] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Program Files\Opera\opera.exe[3644] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 000F0A08 .text C:\Program Files\Opera\opera.exe[3644] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 000F03FC .text C:\Program Files\Opera\opera.exe[3644] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 000F0804 .text C:\Program Files\Opera\opera.exe[3644] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 000F01F8 .text C:\Program Files\Opera\opera.exe[3644] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 000F0600 .text C:\Windows\system32\taskhost.exe[3976] ntdll.dll!LdrUnloadDll 771BBE7F 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[3976] ntdll.dll!LdrLoadDll 771BF585 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[3976] kernel32.dll!GetBinaryTypeW + 70 767B7964 1 Byte [62] .text C:\Windows\system32\taskhost.exe[3976] USER32.dll!UnhookWindowsHookEx 7683CC7B 5 Bytes JMP 00220A08 .text C:\Windows\system32\taskhost.exe[3976] USER32.dll!UnhookWinEvent 7683D924 5 Bytes JMP 002203FC .text C:\Windows\system32\taskhost.exe[3976] USER32.dll!SetWindowsHookExW 7684210A 5 Bytes JMP 00220804 .text C:\Windows\system32\taskhost.exe[3976] USER32.dll!SetWinEventHook 7684507E 5 Bytes JMP 002201F8 .text C:\Windows\system32\taskhost.exe[3976] USER32.dll!SetWindowsHookExA 76866DFA 5 Bytes JMP 00220600 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\rundll32.exe[1964] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [751D5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1964] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [751D5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1964] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [751D5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1964] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [751D5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B0250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B02494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73AE5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73AE56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73AF8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73AF4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73AF50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73AF51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73AF66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73AF82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73AF8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73AF907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73AFE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2628] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73AF4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS >>UNKNOWN [0x86a41b61]<< 86a41b61 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865e6438] 865e6438 Trace 3 CLASSPNP.SYS[8b38659e] -> nt!IofCallDriver -> [0x8573a918] 8573a918 Trace 5 ACPI.sys[838943b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x864de908] 864de908 ---- Threads - GMER 2.1 ---- Thread System [4:308] 86B380F4 ---- EOF - GMER 2.1 ----