GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-18 13:41:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3 OCZ-AGILITY3 rev.2.15 55,90GB Running: bvvqwg94.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Windows\System32\svchost.exe[276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[532] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Windows\SysWOW64\ASGT.exe[1916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076eafab0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076eafb48 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076eafca0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076eb0028 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076eb1910 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076ecc43a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076ed11d7 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074af5181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074af5254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074af53d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074af54c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074af55e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074af567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074af589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074af5a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007664ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076653982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076657603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007665835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007666f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755c1465 2 bytes [5C, 75] .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755c14bb 2 bytes [5C, 75] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3ae0 5 bytes JMP 000000010044075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7a90 5 bytes JMP 00000001004403a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d01490 5 bytes JMP 0000000100440b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d014f0 5 bytes JMP 0000000100440ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d015d0 5 bytes JMP 000000010044163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d01810 5 bytes JMP 0000000100441284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d02840 5 bytes JMP 00000001004419f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2660] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076eafab0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076eafb48 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076eafca0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076eb0028 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076eb1910 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076ecc43a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076ed11d7 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007664ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076653982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076657603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007665835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007666f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074af5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074af5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074af53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074af54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074af55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074af567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074af589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2668] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074af5a22 5 bytes JMP 0000000100250600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076eafab0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076eafb48 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076eafca0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076eb0028 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076eb1910 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076ecc43a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076ed11d7 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007664ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076653982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076657603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007665835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007666f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074af5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074af5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074af53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074af54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074af55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074af567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074af589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe[2916] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074af5a22 5 bytes JMP 0000000100250600 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3ae0 5 bytes JMP 000000010038075c .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7a90 5 bytes JMP 00000001003803a4 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d01490 5 bytes JMP 0000000100380b14 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d014f0 5 bytes JMP 0000000100380ecc .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d015d0 5 bytes JMP 000000010038163c .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d01810 5 bytes JMP 0000000100381284 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d02840 5 bytes JMP 00000001003819f4 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Windows\system32\svchost.exe[2596] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3ae0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7a90 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d01490 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d014f0 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d015d0 5 bytes JMP 00000001001c163c .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d01810 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d02840 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Windows\system32\SearchIndexer.exe[3124] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076eafab0 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076eafb48 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076eafca0 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076eb0028 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076eb1910 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076ecc43a 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076ed11d7 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074af5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074af5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074af53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074af54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074af55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074af567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074af589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074af5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007664ee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076653982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076657603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007665835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[3308] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007666f52b 5 bytes JMP 00000001000b0a08 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3ae0 5 bytes JMP 00000001001d075c .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d01490 5 bytes JMP 00000001001d0b14 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d014f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d015d0 5 bytes JMP 00000001001d163c .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d01810 5 bytes JMP 00000001001d1284 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d02840 5 bytes JMP 00000001001d19f4 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Windows\System32\svchost.exe[3712] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Windows\system32\wbem\wmiprvse.exe[2128] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3ae0 5 bytes JMP 000000010033075c .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7a90 5 bytes JMP 00000001003303a4 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d01490 5 bytes JMP 0000000100330b14 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d014f0 5 bytes JMP 0000000100330ecc .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d015d0 5 bytes JMP 000000010033163c .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d01810 5 bytes JMP 0000000100331284 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d02840 5 bytes JMP 00000001003319f4 .text C:\Windows\notepad.exe[2516] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Windows\notepad.exe[2516] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3ae0 5 bytes JMP 00000001001c075c .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7a90 5 bytes JMP 00000001001c03a4 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d01490 5 bytes JMP 00000001001c0b14 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d014f0 5 bytes JMP 00000001001c0ecc .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d015d0 5 bytes JMP 00000001001c163c .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d01810 5 bytes JMP 00000001001c1284 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d02840 5 bytes JMP 00000001001c19f4 .text C:\Windows\notepad.exe[2004] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe476e00 5 bytes JMP 000007ff7e491dac .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe476f2c 5 bytes JMP 000007ff7e490ecc .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe477220 5 bytes JMP 000007ff7e491284 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe47739c 5 bytes JMP 000007ff7e49163c .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe477538 5 bytes JMP 000007ff7e4919f4 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4775e8 5 bytes JMP 000007ff7e4903a4 .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe47790c 5 bytes JMP 000007ff7e49075c .text C:\Windows\notepad.exe[2004] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe477ab4 5 bytes JMP 000007ff7e490b14 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076eafab0 5 bytes JMP 0000000100030600 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076eafb48 5 bytes JMP 0000000100030804 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076eafca0 5 bytes JMP 0000000100030c0c .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076eb0028 5 bytes JMP 0000000100030a08 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076eb1910 5 bytes JMP 0000000100030e10 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076ecc43a 5 bytes JMP 00000001000301f8 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076ed11d7 5 bytes JMP 00000001000303fc .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074bba322 1 byte [62] .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074af5181 5 bytes JMP 0000000100241014 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074af5254 5 bytes JMP 0000000100240804 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074af53d5 5 bytes JMP 0000000100240a08 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074af54c2 5 bytes JMP 0000000100240c0c .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074af55e2 5 bytes JMP 0000000100240e10 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074af567c 5 bytes JMP 00000001002401f8 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074af589f 5 bytes JMP 00000001002403fc .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074af5a22 5 bytes JMP 0000000100240600 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007664ee09 5 bytes JMP 00000001002d01f8 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076653982 5 bytes JMP 00000001002d03fc .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076657603 5 bytes JMP 00000001002d0804 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007665835c 5 bytes JMP 00000001002d0600 .text D:\Pobierane\bvvqwg94.exe[2924] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007666f52b 5 bytes JMP 00000001002d0a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3244:3420] 000007fefe920168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3244:3440] 000007fefb1a2ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3244:3912] 000007fef8455124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 15 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 381540 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 15 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 381540 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- Files - GMER 2.1 ---- File C:\ProgramData\AVAST Software\Avast\aswAr.run 0 bytes ---- EOF - GMER 2.1 ----