GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-19 22:23:32 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9320320AS rev.0303 298,09GB Running: gmer.exe; Driver: C:\DOCUME~1\Admin-\USTAWI~1\Temp\axtdrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA67C610] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA7305FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xAA67D0E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA6C0B36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA688F18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA688F64] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA6890FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA6C04EA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA688E86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA688FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA688ECE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xAA67D5E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA6890B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xAA67DE9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA67C676] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA6C11FC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA6C14B2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA681596] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA6C1067] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA6C0ED2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA7306C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA67C25E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA67C6DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA68198C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA67E92C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA688F42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA688F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA689122] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA6C0846] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA688EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA680E78] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA689036] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA688EF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA68126E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA6890DC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA730822] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA6C0D4D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA67E7F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA6C0B9F] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xAA67E34E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA73D744] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA6BFB30] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA67C742] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA67C7A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xAA67DD16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA67C2F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA67C4CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA6C1303] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA67C45C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xAA67E066] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xAA67E1C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA67C556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xAA67DB54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xAA67DCF6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xAA72EC42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA67C80E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xAA67D142] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA749E00] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D2C 80504614 4 Bytes JMP B0AA6C04 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [42, C7, 67, AA, A8, C7, 67, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [66, E0, 67, AA, C8, E1, 67, ...] {LOOPNZ 0x6a; STOSB ; ENTER 0x67e1, 0xaa; PUSH ESI; LDS ESP, [EDI-0x56]} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL AA67EFD9 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC58A 5 Bytes JMP AA746C9A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805C300E 5 Bytes JMP AA7487B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D11CA 7 Bytes JMP AA749E04 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB7B55000, 0x189F82, 0xE8000020] .text win32k.sys!EngFreeUserMem + 674 BF809980 1 Byte [E9] .text win32k.sys!EngFreeUserMem + 674 BF809980 5 Bytes JMP AA683284 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D0 BF80C8DC 5 Bytes JMP AA683162 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF8139A7 5 Bytes JMP AA683116 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E654 5 Bytes JMP AA681BF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 197D BF820D61 5 Bytes JMP AA6826EC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 11A6 BF82D57B 5 Bytes JMP AA681D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLockSurface + C09 BF82E6F9 5 Bytes JMP AA6833FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + 2E84 BF83908A 5 Bytes JMP AA683614 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + B8EC BF841AF2 5 Bytes JMP AA68300A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + E0A8 BF8442AE 5 Bytes JMP AA6826CE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + F624 BF84582A 5 Bytes JMP AA681DF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 290F BF86C704 5 Bytes JMP AA6827C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 4BED BF86E9E2 5 Bytes JMP AA68222C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 4C78 BF86EA6D 5 Bytes JMP AA682508 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 584E BF86F643 5 Bytes JMP AA681AD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + AC2C BF874A21 5 Bytes JMP AA6831B2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnicodeToMultiByteN + 67E3 BF87BC40 5 Bytes JMP AA68333C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 35E9 BF897CE9 5 Bytes JMP AA6822F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 4126 BF898826 5 Bytes JMP AA6824C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8B590C 5 Bytes JMP AA6827E2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 2862 BF8B902A 5 Bytes JMP AA68356C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 35C2 BF8C1C5F 5 Bytes JMP AA681F24 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + A58C BF8EB1E4 5 Bytes JMP AA68270A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8EFCA5 5 Bytes JMP AA6819C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 3BBE BF8F1E74 5 Bytes JMP AA682008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 3E3E BF8F20F4 5 Bytes JMP AA682150 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1A3E BF91480E 5 Bytes JMP AA681CDC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1CEA BF914ABA 5 Bytes JMP AA68288C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2612 BF9153E2 5 Bytes JMP AA681EBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4F93 BF917D63 5 Bytes JMP AA682628 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 1943 BF948240 5 Bytes JMP AA6834BE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\HPSIsvc.exe[168] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\HPSIsvc.exe[168] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[508] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[508] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[520] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[520] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[536] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[536] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[616] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[616] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[684] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[932] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1028] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1068] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1068] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1120] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1120] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1132] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1132] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1312] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1312] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1504] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1532] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1532] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1560] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1560] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1596] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1616] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1616] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1780] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1780] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 003F1014 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 003F0804 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 003F0A08 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 003F0C0C .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 003F0E10 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003F01F8 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F03FC .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 003F0600 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00500804 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00500A08 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00500600 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 005001F8 .text C:\Program Files\Wireless Console 2\wcourier.exe[1864] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 005003FC .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe[1928] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe[1928] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 003F1014 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 003F0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 003F0A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 003F0C0C .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 003F0E10 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003F01F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F03FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 003F0600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 004D0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 004D0A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 004D0600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 004D01F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1964] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 004D03FC .text C:\WINDOWS\system32\svchost.exe[2008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2028] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 003F1014 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 003F0804 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 003F0A08 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 003F0C0C .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 003F0E10 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003F01F8 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F03FC .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 003F0600 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 004E0804 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 004E0A08 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 004E0600 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 004E01F8 .text C:\Documents and Settings\Admin-\Pulpit\gmer.exe[2376] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 004E03FC .text C:\WINDOWS\system32\wuauclt.exe[2680] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003201F8 .text C:\WINDOWS\system32\wuauclt.exe[2680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[2680] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003203FC .text C:\WINDOWS\system32\wuauclt.exe[2680] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00331014 .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00330804 .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00330A08 .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00330C0C .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00330E10 .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003301F8 .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003303FC .text C:\WINDOWS\system32\wuauclt.exe[2680] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00330600 .text C:\WINDOWS\system32\wuauclt.exe[2680] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00340804 .text C:\WINDOWS\system32\wuauclt.exe[2680] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00340A08 .text C:\WINDOWS\system32\wuauclt.exe[2680] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00340600 .text C:\WINDOWS\system32\wuauclt.exe[2680] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003401F8 .text C:\WINDOWS\system32\wuauclt.exe[2680] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003403FC .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00431014 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00430804 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00430A08 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00430C0C .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00430E10 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 004301F8 .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 004303FC .text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2696] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00430600 .text C:\WINDOWS\System32\alg.exe[2744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2744] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00031014 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00030804 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00030A08 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00030C0C .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00030E10 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 000301F8 .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 000303FC .text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2916] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00030600 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00BC1014 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00BC0804 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00BC0A08 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00BC0C0C .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00BC0E10 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00BC01F8 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00BC03FC .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[3968] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00BC0600 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003E0804 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003E0A08 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003E0600 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 003F1014 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 003F0C0C .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 003F0E10 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATK Media\DMedia.exe[3976] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00421014 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00420804 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00420A08 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00420C0C .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00420E10 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 004201F8 .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 004203FC .text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[4020] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00420600 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00421014 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00420804 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00420A08 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00420C0C .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00420E10 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 004201F8 .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 004203FC .text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[4028] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00420600 .text C:\WINDOWS\System32\svchost.exe[4040] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\svchost.exe[4040] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[4040] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\svchost.exe[4040] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00321014 .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00320804 .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00320A08 .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00320C0C .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00320E10 .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003201F8 .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003203FC .text C:\WINDOWS\System32\svchost.exe[4040] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00320600 .text C:\WINDOWS\System32\svchost.exe[4040] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00470804 .text C:\WINDOWS\System32\svchost.exe[4040] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00470A08 .text C:\WINDOWS\System32\svchost.exe[4040] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00470600 .text C:\WINDOWS\System32\svchost.exe[4040] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 004701F8 .text C:\WINDOWS\System32\svchost.exe[4040] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 004703FC .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003E01F8 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003E03FC .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00431014 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00430804 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00430A08 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00430C0C .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00430E10 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 004301F8 .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 004303FC .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[4064] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00430600 .text C:\Program Files\Alwil Software\Avast5\avastUI.exe[4072] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\avastUI.exe[4072] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[536] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C90790] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\WINDOWS\system32\services.exe[1120] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1120] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\Alwil Software\Avast5\avastUI.exe[4072] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C90790] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13734 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@Lease 7200 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@LeaseObtainedTime 1376938238 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@T1 1376941838 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@T2 1376944538 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@LeaseTerminatesTime 1376945438 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpIPAddress 192.168.1.100 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpSubnetMask 255.255.255.0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpRetryTime 3595 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpRetryStatus 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpDefaultGateway 192.168.1.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5D2901D9-D5C8-41FB-B39A-FC864010B551}@DhcpSubnetMaskOpt 255.255.255.0? Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@DhcpIPAddress 192.168.1.100 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@DhcpSubnetMask 255.255.255.0 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@DhcpServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@Lease 7200 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@LeaseObtainedTime 1376938238 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@T1 1376941838 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@T2 1376944538 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@LeaseTerminatesTime 1376945438 Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@DhcpDefaultGateway 192.168.1.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\{5D2901D9-D5C8-41FB-B39A-FC864010B551}\Parameters\Tcpip@DhcpSubnetMaskOpt 255.255.255.0? ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----