GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-21 19:17:04 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0 Running: gmer.exe; Driver: C:\Users\SYLWIA~1\AppData\Local\Temp\ugldrpob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8A34BDF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8BBAAA5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8A34C85E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8A3512E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8A351330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8A351422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8A351252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8A351374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8A35129A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8A3513DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8A34BE44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8BBAAB34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8A34BAD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8A34BE90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8A34ED1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8A34CB02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8A35130E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8A351352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8A351446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8A351278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8A3513AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8A3512C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8A351400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8BBAACA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8A34C9CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8A34BEDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8A34BF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8A34BB46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8A34BCEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8A34BC92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8A34BD5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8BBAAD60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8A34BF74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8BBAABE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8BBC0D92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 81A4F359 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81A88D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 81A8FDA0 4 Bytes [F8, BD, 34, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 81A8FDC8 4 Bytes [5A, AA, BA, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 81A8FE28 4 Bytes [5E, C8, 34, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 81A8FE7C 4 Bytes [E4, 12, 35, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11AC 81A8FE81 3 Bytes [13, 35, 8A] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81C1CC64 5 Bytes JMP 8BBBDC8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 81C35290 5 Bytes JMP 8BBBF764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 81C4A3D7 4 Bytes CALL 8A34D1B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 81C641E0 4 Bytes CALL 8A34D1CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 81CEE0F6 7 Bytes JMP 8BBC0D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text user32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes [E9, 0A, 5C, B4, 89] {JMP 0xffffffff89b45c0f} .text user32.dll!UnhookWinEvent 767CB750 5 Bytes [E9, A7, 4C, B4, 89] {JMP 0xffffffff89b44cac} .text user32.dll!SetWindowsHookExW 767CE30C 5 Bytes [E9, F3, 24, B4, 89] {JMP 0xffffffff89b424f8} .text user32.dll!SetWinEventHook 767D24DC 5 Bytes [E9, 17, DD, B3, 89] {JMP 0xffffffff89b3dd1c} .text user32.dll!SetWindowsHookExA 767F6D0C 5 Bytes [E9, EF, 98, B1, 89] {JMP 0xffffffff89b198f4} .text kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Launch Manager\dsiwmis.exe[376] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Launch Manager\dsiwmis.exe[376] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Launch Manager\dsiwmis.exe[376] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Launch Manager\dsiwmis.exe[376] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Launch Manager\dsiwmis.exe[376] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 002003FC .text C:\Program Files\Launch Manager\dsiwmis.exe[376] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00200804 .text C:\Program Files\Launch Manager\dsiwmis.exe[376] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 002001F8 .text C:\Program Files\Launch Manager\dsiwmis.exe[376] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\csrss.exe[468] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[512] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[520] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[520] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[520] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[520] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00050A08 .text C:\Windows\system32\wininit.exe[520] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000503FC .text C:\Windows\system32\wininit.exe[520] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00050804 .text C:\Windows\system32\wininit.exe[520] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000501F8 .text C:\Windows\system32\wininit.exe[520] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00050600 .text C:\Windows\system32\services.exe[572] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[572] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[572] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[596] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[596] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[596] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[596] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[596] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[624] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[624] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[624] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[628] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000503FC .text C:\Windows\servicing\TrustedInstaller.exe[628] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000501F8 .text C:\Windows\servicing\TrustedInstaller.exe[628] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[628] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00080A08 .text C:\Windows\servicing\TrustedInstaller.exe[628] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000803FC .text C:\Windows\servicing\TrustedInstaller.exe[628] USER32.dll!SetWindowsHookExW 767CE30C 3 Bytes JMP 00080804 .text C:\Windows\servicing\TrustedInstaller.exe[628] USER32.dll!SetWindowsHookExW + 4 767CE310 1 Byte [89] .text C:\Windows\servicing\TrustedInstaller.exe[628] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000801F8 .text C:\Windows\servicing\TrustedInstaller.exe[628] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00080600 .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[632] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[724] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[724] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[724] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[824] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[824] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00300A08 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 003003FC .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00300804 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 003001F8 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[840] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00300600 .text C:\Windows\System32\svchost.exe[888] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[888] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[888] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\svchost.exe[888] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 002003FC .text C:\Windows\System32\svchost.exe[888] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00200804 .text C:\Windows\System32\svchost.exe[888] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\svchost.exe[888] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\svchost.exe[952] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[952] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[952] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[952] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 005B0A08 .text C:\Windows\System32\svchost.exe[952] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 005B03FC .text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 005B0804 .text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 005B01F8 .text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 005B0600 .text C:\Windows\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00ED0A08 .text C:\Windows\system32\svchost.exe[984] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 00ED03FC .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00ED0804 .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 00ED01F8 .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00ED0600 .text C:\Program Files\Launch Manager\LMworker.exe[1056] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000C03FC .text C:\Program Files\Launch Manager\LMworker.exe[1056] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000C01F8 .text C:\Program Files\Launch Manager\LMworker.exe[1056] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Launch Manager\LMworker.exe[1056] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00150A08 .text C:\Program Files\Launch Manager\LMworker.exe[1056] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001503FC .text C:\Program Files\Launch Manager\LMworker.exe[1056] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00150804 .text C:\Program Files\Launch Manager\LMworker.exe[1056] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001501F8 .text C:\Program Files\Launch Manager\LMworker.exe[1056] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00150600 .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000F03FC .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 000F0804 .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Launch Manager\LMutilps32.exe[1096] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 000F0600 .text C:\Windows\system32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1108] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1108] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 006B0A08 .text C:\Windows\system32\svchost.exe[1108] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 006B03FC .text C:\Windows\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 006B0804 .text C:\Windows\system32\svchost.exe[1108] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 006B01F8 .text C:\Windows\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 006B0600 .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 006D0A08 .text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 006D03FC .text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 006D0804 .text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 006D01F8 .text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 006D0600 .text C:\Windows\system32\HPSIsvc.exe[1236] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001703FC .text C:\Windows\system32\HPSIsvc.exe[1236] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001701F8 .text C:\Windows\system32\HPSIsvc.exe[1236] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\HPSIsvc.exe[1236] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00230A08 .text C:\Windows\system32\HPSIsvc.exe[1236] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 002303FC .text C:\Windows\system32\HPSIsvc.exe[1236] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00230804 .text C:\Windows\system32\HPSIsvc.exe[1236] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 002301F8 .text C:\Windows\system32\HPSIsvc.exe[1236] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00230600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1316] kernel32.dll!SetUnhandledExceptionFilter 762AF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1316] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1452] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[1452] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[1452] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1452] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00130A08 .text C:\Windows\system32\taskeng.exe[1452] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001303FC .text C:\Windows\system32\taskeng.exe[1452] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00130804 .text C:\Windows\system32\taskeng.exe[1452] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001301F8 .text C:\Windows\system32\taskeng.exe[1452] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00130600 .text C:\Windows\System32\spoolsv.exe[1472] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000A03FC .text C:\Windows\System32\spoolsv.exe[1472] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000A01F8 .text C:\Windows\System32\spoolsv.exe[1472] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1472] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\spoolsv.exe[1472] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001403FC .text C:\Windows\System32\spoolsv.exe[1472] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00140804 .text C:\Windows\System32\spoolsv.exe[1472] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\spoolsv.exe[1472] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1548] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00190A08 .text C:\Windows\system32\svchost.exe[1548] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001903FC .text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00190804 .text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001901F8 .text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00190600 .text C:\Windows\system32\rundll32.exe[1560] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000703FC .text C:\Windows\system32\rundll32.exe[1560] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\rundll32.exe[1560] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\rundll32.exe[1560] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 000A0A08 .text C:\Windows\system32\rundll32.exe[1560] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000A03FC .text C:\Windows\system32\rundll32.exe[1560] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 000A0804 .text C:\Windows\system32\rundll32.exe[1560] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000A01F8 .text C:\Windows\system32\rundll32.exe[1560] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 000A0600 .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[1736] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000E03FC .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 000E0600 .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[1884] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00130A08 .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001303FC .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00130804 .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001301F8 .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00130600 .text C:\Windows\Explorer.EXE[1932] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[1932] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[1932] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\Explorer.EXE[1932] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00110A08 .text C:\Windows\Explorer.EXE[1932] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001103FC .text C:\Windows\Explorer.EXE[1932] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00110804 .text C:\Windows\Explorer.EXE[1932] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001101F8 .text C:\Windows\Explorer.EXE[1932] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00110600 .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 000A0A08 .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 000A03FC .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 000A0804 .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 000A01F8 .text C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2096] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 000A0600 .text C:\Windows\system32\wbem\unsecapp.exe[2148] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000703FC .text C:\Windows\system32\wbem\unsecapp.exe[2148] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\wbem\unsecapp.exe[2148] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[2148] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00200A08 .text C:\Windows\system32\wbem\unsecapp.exe[2148] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 002003FC .text C:\Windows\system32\wbem\unsecapp.exe[2148] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00200804 .text C:\Windows\system32\wbem\unsecapp.exe[2148] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 002001F8 .text C:\Windows\system32\wbem\unsecapp.exe[2148] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\AUDIODG.EXE[2180] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2200] KERNEL32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] user32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] user32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001003FC .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] user32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00100804 .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] user32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001001F8 .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[2208] user32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[2244] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2244] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2244] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2252] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2252] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2252] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00140A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001403FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00140804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001401F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2312] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00140600 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2404] KERNEL32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 002003FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00200804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 002001F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2648] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00200600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000A03FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000A01F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00140A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001403FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00140804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001401F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00140600 .text C:\Windows\System32\hkcmd.exe[2860] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[2860] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[2860] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[2860] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\hkcmd.exe[2860] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 002003FC .text C:\Windows\System32\hkcmd.exe[2860] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00200804 .text C:\Windows\System32\hkcmd.exe[2860] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\hkcmd.exe[2860] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\igfxpers.exe[3016] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[3016] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[3016] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[3016] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00300A08 .text C:\Windows\System32\igfxpers.exe[3016] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 003003FC .text C:\Windows\System32\igfxpers.exe[3016] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00300804 .text C:\Windows\System32\igfxpers.exe[3016] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 003001F8 .text C:\Windows\System32\igfxpers.exe[3016] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00300600 .text C:\Windows\system32\igfxsrvc.exe[3132] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[3132] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[3132] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[3132] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\igfxsrvc.exe[3132] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001F03FC .text C:\Windows\system32\igfxsrvc.exe[3132] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\igfxsrvc.exe[3132] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\igfxsrvc.exe[3132] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Launch Manager\LManager.exe[3160] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001703FC .text C:\Program Files\Launch Manager\LManager.exe[3160] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001701F8 .text C:\Program Files\Launch Manager\LManager.exe[3160] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Launch Manager\LManager.exe[3160] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00310A08 .text C:\Program Files\Launch Manager\LManager.exe[3160] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 003103FC .text C:\Program Files\Launch Manager\LManager.exe[3160] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00310804 .text C:\Program Files\Launch Manager\LManager.exe[3160] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 003101F8 .text C:\Program Files\Launch Manager\LManager.exe[3160] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00310600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3224] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 003C0A08 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 003C03FC .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 003C0804 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 003C01F8 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3268] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 003C0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3292] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001F03FC .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 001F0804 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[3556] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 00B403FC .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 00B401F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00BD0A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 00BD03FC .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00BD0804 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 00BD01F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[3580] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00BD0600 .text C:\Windows\system32\SearchIndexer.exe[3588] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3588] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3588] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3588] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3588] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3588] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3588] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3588] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00100600 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00F80A08 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 00F803FC .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00F80804 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 00F801F8 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3768] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00F80600 .text C:\Windows\system32\wbem\wmiprvse.exe[3780] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[3780] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3780] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3780] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3780] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001003FC .text C:\Windows\system32\wbem\wmiprvse.exe[3780] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00100804 .text C:\Windows\system32\wbem\wmiprvse.exe[3780] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3780] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00100600 .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00310A08 .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 003103FC .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00310804 .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 003101F8 .text C:\Users\Sylwia i Piotrek\Desktop\ochrona\gmer\gmer.exe[3820] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00310600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3916] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\igfxext.exe[3956] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxext.exe[3956] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxext.exe[3956] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Windows\system32\igfxext.exe[3956] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\igfxext.exe[3956] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001F03FC .text C:\Windows\system32\igfxext.exe[3956] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\igfxext.exe[3956] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\igfxext.exe[3956] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] ntdll.dll!LdrUnloadDll 778FC86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] ntdll.dll!LdrLoadDll 7790223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] kernel32.dll!GetBinaryTypeW + 70 762C69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] USER32.dll!UnhookWindowsHookEx 767CADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] USER32.dll!UnhookWinEvent 767CB750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] USER32.dll!SetWindowsHookExW 767CE30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] USER32.dll!SetWinEventHook 767D24DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4092] USER32.dll!SetWindowsHookExA 767F6D0C 5 Bytes JMP 00100600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\HPSIsvc.exe[1236] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1236] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1236] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1236] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1236] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1316] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7360F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\system32\rundll32.exe[1560] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1560] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1560] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1560] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1560] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [758FFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3292] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7360F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----