GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-15 15:49:57 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: t0x0fwed.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\uwdirpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x910A1610] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9478B5FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x910A20E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x910ADF18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x910ADF64] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x910AE0FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x910ADE86] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9478B992] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x910ADECE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x910A25E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x910A2800] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x910AE0B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x910A2E9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x910A1676] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x910A6596] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9478B6C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x94789C12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x910A16DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x910A698C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x910A392C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x910ADF42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x910ADF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x910AE122] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x910ADEAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x910A5E78] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x910AE036] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x910ADEF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0x910A626E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x910AE0DC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x9478B822] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x910A37F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x910A3506] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x910A1742] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x910A17A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x910A2D16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x910A12F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x910A14CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x910A145C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x910A3066] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x910A31C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x910A1556] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x9478B8EA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x910A2CF6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x94789C42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x910A180E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x9478B76E] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x947A4E00] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E429F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7C1F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82E83410 4 Bytes [10, 16, 0A, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82E83438 4 Bytes [FA, B5, 78, 94] {CLI ; MOV CH, 0x78; XCHG ESP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82E83498 4 Bytes [E6, 20, 0A, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82E834EC 8 Bytes [18, DF, 0A, 91, 64, DF, 0A, ...] {SBB BH, BL; OR DL, [ECX-0x6ef5209c]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82E834F8 4 Bytes [FE, E0, 0A, 91] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83010D3D 5 Bytes JMP 947A1C9A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 83029380 5 Bytes JMP 947A37CC \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8303E4DF 4 Bytes CALL 910A3FEF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 83058333 4 Bytes CALL 910A4005 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 830E221C 7 Bytes JMP 947A4E04 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text user32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes [E9, 0A, 5C, 7A, 88] {JMP 0x887a5c0f} .text user32.dll!UnhookWinEvent 77B6B750 5 Bytes [E9, A7, 4C, 7A, 88] {JMP 0x887a4cac} .text user32.dll!SetWindowsHookExW 77B6E30C 5 Bytes [E9, F3, 24, 7A, 88] {JMP 0x887a24f8} .text user32.dll!SetWinEventHook 77B724DC 5 Bytes [E9, 17, DD, 79, 88] {JMP 0x8879dd1c} .text user32.dll!SetWindowsHookExA 77B96D0C 5 Bytes [E9, EF, 98, 77, 88] {JMP 0x887798f4} .text kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text sechost.dll!SetServiceObjectSecurity 76485181 5 Bytes [E9, 8E, BE, E6, 89] {JMP 0x89e6be93} .text sechost.dll!ChangeServiceConfigA 76485254 5 Bytes [E9, AB, B5, E6, 89] {JMP 0x89e6b5b0} .text sechost.dll!ChangeServiceConfigW 764853D5 5 Bytes [E9, 2E, B6, E6, 89] {JMP 0x89e6b633} .text sechost.dll!ChangeServiceConfig2A 764854C2 5 Bytes [E9, 45, B7, E6, 89] {JMP 0x89e6b74a} .text sechost.dll!ChangeServiceConfig2W 764855E2 5 Bytes [E9, 29, B8, E6, 89] {JMP 0x89e6b82e} .text sechost.dll!CreateServiceA 7648567C 5 Bytes [E9, 77, AB, E6, 89] {JMP 0x89e6ab7c} .text sechost.dll!CreateServiceW 7648589F 5 Bytes [E9, 58, AB, E6, 89] {JMP 0x89e6ab5d} .text sechost.dll!DeleteService 76485A22 5 Bytes [E9, D9, AB, E6, 89] {JMP 0x89e6abde} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[128] kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\viakaraokesrv.exe[364] kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[500] kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[508] kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text ... .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 002E03FC .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 002E01F8 .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00310A08 .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 003103FC .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00310804 .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 003101F8 .text C:\Users\Daniel\Desktop\t0x0fwed.exe[2908] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00310600 .text C:\Windows\system32\taskhost.exe[2920] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000D03FC .text C:\Windows\system32\taskhost.exe[2920] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000D01F8 .text C:\Windows\system32\taskhost.exe[2920] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2920] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\taskhost.exe[2920] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000E03FC .text C:\Windows\system32\taskhost.exe[2920] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\taskhost.exe[2920] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\taskhost.exe[2920] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 000E0600 .text C:\Windows\system32\Dwm.exe[3044] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 001203FC .text C:\Windows\system32\Dwm.exe[3044] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 001201F8 .text C:\Windows\system32\Dwm.exe[3044] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[3044] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00130A08 .text C:\Windows\system32\Dwm.exe[3044] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 001303FC .text C:\Windows\system32\Dwm.exe[3044] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00130804 .text C:\Windows\system32\Dwm.exe[3044] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 001301F8 .text C:\Windows\system32\Dwm.exe[3044] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00130600 .text C:\Windows\Explorer.EXE[3064] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000703FC .text C:\Windows\Explorer.EXE[3064] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000701F8 .text C:\Windows\Explorer.EXE[3064] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\Explorer.EXE[3064] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00090A08 .text C:\Windows\Explorer.EXE[3064] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000903FC .text C:\Windows\Explorer.EXE[3064] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00090804 .text C:\Windows\Explorer.EXE[3064] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000901F8 .text C:\Windows\Explorer.EXE[3064] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00090600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000E03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000E01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[3112] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 001E03FC .text C:\Windows\system32\svchost.exe[3112] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 001E01F8 .text C:\Windows\system32\svchost.exe[3112] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[3112] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00240A08 .text C:\Windows\system32\svchost.exe[3112] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 002403FC .text C:\Windows\system32\svchost.exe[3112] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00240804 .text C:\Windows\system32\svchost.exe[3112] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 002401F8 .text C:\Windows\system32\svchost.exe[3112] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00240600 .text C:\Windows\System32\rundll32.exe[3180] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000C03FC .text C:\Windows\System32\rundll32.exe[3180] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000C01F8 .text C:\Windows\System32\rundll32.exe[3180] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3180] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 000D0A08 .text C:\Windows\System32\rundll32.exe[3180] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000D03FC .text C:\Windows\System32\rundll32.exe[3180] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 000D0804 .text C:\Windows\System32\rundll32.exe[3180] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000D01F8 .text C:\Windows\System32\rundll32.exe[3180] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 000D0600 .text C:\Windows\system32\DllHost.exe[3232] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000D03FC .text C:\Windows\system32\DllHost.exe[3232] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000D01F8 .text C:\Windows\system32\DllHost.exe[3232] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\DllHost.exe[3232] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\DllHost.exe[3232] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000E03FC .text C:\Windows\system32\DllHost.exe[3232] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\DllHost.exe[3232] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\DllHost.exe[3232] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 000E0600 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000E03FC .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000E01F8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000F03FC .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 000F0804 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000F01F8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3324] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 000F0600 .text C:\Windows\system32\conhost.exe[3332] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 001B03FC .text C:\Windows\system32\conhost.exe[3332] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 001B01F8 .text C:\Windows\system32\conhost.exe[3332] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\conhost.exe[3332] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00210A08 .text C:\Windows\system32\conhost.exe[3332] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 002103FC .text C:\Windows\system32\conhost.exe[3332] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00210804 .text C:\Windows\system32\conhost.exe[3332] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 002101F8 .text C:\Windows\system32\conhost.exe[3332] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00210600 .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000703FC .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000701F8 .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 004B0A08 .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 004B03FC .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 004B0804 .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 004B01F8 .text C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe[3512] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 004B0600 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 001E03FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 001E01F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 002F03FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 002F0804 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3524] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 002F0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3532] kernel32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 001F03FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 001F01F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3556] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00210600 .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000F03FC .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000F01F8 .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00110A08 .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 001103FC .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00110804 .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 001101F8 .text C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00110600 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000E03FC .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000E01F8 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000F03FC .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 000F0804 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000F01F8 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3580] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 000F0600 .text C:\Windows\System32\svchost.exe[3900] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[3900] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[3900] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[3900] user32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00090A08 .text C:\Windows\System32\svchost.exe[3900] user32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000903FC .text C:\Windows\System32\svchost.exe[3900] user32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00090804 .text C:\Windows\System32\svchost.exe[3900] user32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000901F8 .text C:\Windows\System32\svchost.exe[3900] user32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00090600 .text C:\Windows\System32\svchost.exe[5216] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000E03FC .text C:\Windows\System32\svchost.exe[5216] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000E01F8 .text C:\Windows\System32\svchost.exe[5216] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[5216] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00110A08 .text C:\Windows\System32\svchost.exe[5216] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 001103FC .text C:\Windows\System32\svchost.exe[5216] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00110804 .text C:\Windows\System32\svchost.exe[5216] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 001101F8 .text C:\Windows\System32\svchost.exe[5216] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00110600 .text C:\Windows\system32\wuauclt.exe[5664] ntdll.dll!LdrUnloadDll 77C8C86E 5 Bytes JMP 000803FC .text C:\Windows\system32\wuauclt.exe[5664] ntdll.dll!LdrLoadDll 77C9223E 5 Bytes JMP 000801F8 .text C:\Windows\system32\wuauclt.exe[5664] KERNEL32.dll!GetBinaryTypeW + 70 769E69F4 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[5664] USER32.dll!UnhookWindowsHookEx 77B6ADF9 5 Bytes JMP 00090A08 .text C:\Windows\system32\wuauclt.exe[5664] USER32.dll!UnhookWinEvent 77B6B750 5 Bytes JMP 000903FC .text C:\Windows\system32\wuauclt.exe[5664] USER32.dll!SetWindowsHookExW 77B6E30C 5 Bytes JMP 00090804 .text C:\Windows\system32\wuauclt.exe[5664] USER32.dll!SetWinEventHook 77B724DC 5 Bytes JMP 000901F8 .text C:\Windows\system32\wuauclt.exe[5664] USER32.dll!SetWindowsHookExA 77B96D0C 5 Bytes JMP 00090600 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73960790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1948] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1948] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1948] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1948] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1948] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1948] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[2012] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[2012] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[2012] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[2012] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3180] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3180] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3180] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3180] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73960790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Users\Patrycja\Documents\ZuneLauncher.exe[3564] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75BAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b00026 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b00026 (not active ControlSet) ---- EOF - GMER 2.1 ----