GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-18 20:36:52 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MJA2250BH_G2 rev.00400018 Running: zc2w3bhp.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\kxdiifod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B893DF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8EC12A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8B89485E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B8992E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B899330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B899422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B899252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B899374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B89929A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B8993DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B893E44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8EC12B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B893AD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B893E90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B896D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B894B02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B89930E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B899352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B899446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B899278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B8993AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B8992C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B899400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8EC12CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B8949CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B893EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B893F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B893B46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B893CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B893C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B893D5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8EC12D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B893F74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8EC12BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8EC28D92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 82C4F599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C74092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 82C7B864 4 Bytes [F8, 3D, 89, 8B] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82C7B88C 4 Bytes [5A, 2A, C1, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 82C7B8EC 4 Bytes [5E, 48, 89, 8B] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 82C7B940 8 Bytes [E4, 92, 89, 8B, 30, 93, 89, ...] {IN AL, 0x92; MOV [EBX-0x74766cd0], ECX} .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 82C7B94C 4 Bytes [22, 94, 89, 8B] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E153BE 5 Bytes JMP 8EC25C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82E2F0CD 5 Bytes JMP 8EC27764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E79762 4 Bytes CALL 8B8951B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E81873 4 Bytes CALL 8B8951CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EE74DE 7 Bytes JMP 8EC28D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Windows Sidebar\sidebar.exe[332] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[332] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[332] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[332] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 000A0A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[332] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000A03FC .text C:\Program Files\Windows Sidebar\sidebar.exe[332] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 000A0804 .text C:\Program Files\Windows Sidebar\sidebar.exe[332] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000A01F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[332] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 000A0600 .text C:\Program Files\Skype\Phone\Skype.exe[356] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Program Files\Skype\Phone\Skype.exe[356] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Program Files\Skype\Phone\Skype.exe[356] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[356] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001A0A08 .text C:\Program Files\Skype\Phone\Skype.exe[356] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001A03FC .text C:\Program Files\Skype\Phone\Skype.exe[356] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001A0804 .text C:\Program Files\Skype\Phone\Skype.exe[356] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001A01F8 .text C:\Program Files\Skype\Phone\Skype.exe[356] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001A0600 .text C:\Program Files\GG Lite\GG Lite.exe[404] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Program Files\GG Lite\GG Lite.exe[404] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Program Files\GG Lite\GG Lite.exe[404] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\GG Lite\GG Lite.exe[404] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\GG Lite\GG Lite.exe[404] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001F03FC .text C:\Program Files\GG Lite\GG Lite.exe[404] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001F0804 .text C:\Program Files\GG Lite\GG Lite.exe[404] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001F01F8 .text C:\Program Files\GG Lite\GG Lite.exe[404] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001F0600 .text C:\Windows\system32\csrss.exe[408] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Feed Notifier\notifier.exe[424] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Program Files\Feed Notifier\notifier.exe[424] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Program Files\Feed Notifier\notifier.exe[424] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Feed Notifier\notifier.exe[424] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\Feed Notifier\notifier.exe[424] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001F03FC .text C:\Program Files\Feed Notifier\notifier.exe[424] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001F0804 .text C:\Program Files\Feed Notifier\notifier.exe[424] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001F01F8 .text C:\Program Files\Feed Notifier\notifier.exe[424] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001F0600 .text C:\Windows\system32\csrss.exe[460] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\wininit.exe[468] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[468] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[468] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\wininit.exe[468] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001C0A08 .text C:\Windows\system32\wininit.exe[468] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001C03FC .text C:\Windows\system32\wininit.exe[468] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001C0804 .text C:\Windows\system32\wininit.exe[468] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001C01F8 .text C:\Windows\system32\wininit.exe[468] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001C0600 .text C:\Windows\system32\winlogon.exe[500] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[500] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[500] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\winlogon.exe[500] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00060A08 .text C:\Windows\system32\winlogon.exe[500] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000603FC .text C:\Windows\system32\winlogon.exe[500] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00060804 .text C:\Windows\system32\winlogon.exe[500] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000601F8 .text C:\Windows\system32\winlogon.exe[500] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00060600 .text C:\Windows\system32\services.exe[572] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[572] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[572] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\lsass.exe[580] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsass.exe[580] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsass.exe[580] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\lsm.exe[588] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[588] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[588] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[692] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[692] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[692] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[784] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[784] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[784] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\System32\svchost.exe[848] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[848] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[848] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\System32\svchost.exe[848] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 002F0A08 .text C:\Windows\System32\svchost.exe[848] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002F03FC .text C:\Windows\System32\svchost.exe[848] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 002F0804 .text C:\Windows\System32\svchost.exe[848] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002F01F8 .text C:\Windows\System32\svchost.exe[848] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 002F0600 .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 002D0A08 .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002D03FC .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 002D0804 .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002D01F8 .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 002D0600 .text C:\Windows\system32\svchost.exe[948] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[948] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[948] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 009D0A08 .text C:\Windows\system32\svchost.exe[948] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 009D03FC .text C:\Windows\system32\svchost.exe[948] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 009D0804 .text C:\Windows\system32\svchost.exe[948] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 009D01F8 .text C:\Windows\system32\svchost.exe[948] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 009D0600 .text C:\Windows\system32\AUDIODG.EXE[1024] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1088] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1088] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00950A08 .text C:\Windows\system32\svchost.exe[1088] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 009503FC .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00950804 .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 009501F8 .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00950600 .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00A10A08 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 00A103FC .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00A10804 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 00A101F8 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00A10600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1284] kernel32.dll!SetUnhandledExceptionFilter 761530E2 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1284] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\explorer.exe[1448] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\explorer.exe[1448] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\explorer.exe[1448] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\explorer.exe[1448] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 000B0A08 .text C:\Windows\explorer.exe[1448] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000B03FC .text C:\Windows\explorer.exe[1448] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 000B0804 .text C:\Windows\explorer.exe[1448] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000B01F8 .text C:\Windows\explorer.exe[1448] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 000B0600 .text C:\Windows\explorer.exe[1448] SHELL32.dll!SHFileOperationW 762396E0 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\Windows\System32\spoolsv.exe[1488] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1488] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1488] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1488] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00140A08 .text C:\Windows\System32\spoolsv.exe[1488] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001403FC .text C:\Windows\System32\spoolsv.exe[1488] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00140804 .text C:\Windows\System32\spoolsv.exe[1488] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001401F8 .text C:\Windows\System32\spoolsv.exe[1488] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00140600 .text C:\Windows\explorer.exe[1620] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\explorer.exe[1620] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\explorer.exe[1620] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\explorer.exe[1620] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00120A08 .text C:\Windows\explorer.exe[1620] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001203FC .text C:\Windows\explorer.exe[1620] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00120804 .text C:\Windows\explorer.exe[1620] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001201F8 .text C:\Windows\explorer.exe[1620] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00120600 .text C:\Windows\explorer.exe[1620] SHELL32.dll!SHFileOperationW 762396E0 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\Windows\system32\svchost.exe[1640] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1640] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1640] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00130A08 .text C:\Windows\system32\svchost.exe[1640] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001303FC .text C:\Windows\system32\svchost.exe[1640] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00130804 .text C:\Windows\system32\svchost.exe[1640] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001301F8 .text C:\Windows\system32\svchost.exe[1640] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00130600 .text C:\Windows\System32\svchost.exe[1668] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1668] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1668] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\System32\svchost.exe[1668] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00210A08 .text C:\Windows\System32\svchost.exe[1668] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002103FC .text C:\Windows\System32\svchost.exe[1668] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00210804 .text C:\Windows\System32\svchost.exe[1668] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002101F8 .text C:\Windows\System32\svchost.exe[1668] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00210600 .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[1708] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 000F0A08 .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000F03FC .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 000F0804 .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000F01F8 .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 000F0600 .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00200A08 .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002003FC .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00200804 .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002001F8 .text C:\Program Files\IObit\Game Booster 3\gbtray.exe[1780] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00200600 .text C:\Windows\servicing\TrustedInstaller.exe[1940] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000503FC .text C:\Windows\servicing\TrustedInstaller.exe[1940] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000501F8 .text C:\Windows\servicing\TrustedInstaller.exe[1940] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[1940] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 000F0A08 .text C:\Windows\servicing\TrustedInstaller.exe[1940] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000F03FC .text C:\Windows\servicing\TrustedInstaller.exe[1940] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 000F0804 .text C:\Windows\servicing\TrustedInstaller.exe[1940] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000F01F8 .text C:\Windows\servicing\TrustedInstaller.exe[1940] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 000F0600 .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001F0A08 .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001F03FC .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001F0804 .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001F01F8 .text C:\Windows\TEMP\mrt9443.tmp\stdrt.exe[1952] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001F0600 .text C:\Windows\System32\igfxpers.exe[1960] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[1960] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[1960] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[1960] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00200A08 .text C:\Windows\System32\igfxpers.exe[1960] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002003FC .text C:\Windows\System32\igfxpers.exe[1960] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00200804 .text C:\Windows\System32\igfxpers.exe[1960] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002001F8 .text C:\Windows\System32\igfxpers.exe[1960] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00200600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1972] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001503FC .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001501F8 .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00180A08 .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001803FC .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00180804 .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001801F8 .text C:\Program Files\Unlocker\UnlockerAssistant.exe[1988] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00180600 .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001503FC .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001501F8 .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001E0A08 .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001E03FC .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001E0804 .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001E01F8 .text C:\Users\Mariusz\Local Settings\Apps\F.lux\flux.exe[2020] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001E0600 .text C:\Windows\system32\igfxsrvc.exe[2040] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[2040] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[2040] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[2040] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 001F0A08 .text C:\Windows\system32\igfxsrvc.exe[2040] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001F03FC .text C:\Windows\system32\igfxsrvc.exe[2040] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 001F0804 .text C:\Windows\system32\igfxsrvc.exe[2040] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001F01F8 .text C:\Windows\system32\igfxsrvc.exe[2040] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 001F0600 .text C:\Program Files\Opera\opera.exe[2220] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Program Files\Opera\opera.exe[2220] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Program Files\Opera\opera.exe[2220] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Opera\opera.exe[2220] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 000F0A08 .text C:\Program Files\Opera\opera.exe[2220] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000F03FC .text C:\Program Files\Opera\opera.exe[2220] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 000F0804 .text C:\Program Files\Opera\opera.exe[2220] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000F01F8 .text C:\Program Files\Opera\opera.exe[2220] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 000F0600 .text C:\zc2w3bhp.exe[2488] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\zc2w3bhp.exe[2488] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\zc2w3bhp.exe[2488] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\zc2w3bhp.exe[2488] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00210A08 .text C:\zc2w3bhp.exe[2488] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002103FC .text C:\zc2w3bhp.exe[2488] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00210804 .text C:\zc2w3bhp.exe[2488] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002101F8 .text C:\zc2w3bhp.exe[2488] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00210600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2532] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00200A08 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002003FC .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00200804 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002001F8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2560] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00200600 .text C:\Windows\system32\svchost.exe[2708] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2708] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2708] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 002F0A08 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 002F03FC .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 002F0804 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 002F01F8 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2848] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 002F0600 .text C:\Windows\system32\svchost.exe[2944] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2944] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2944] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00080A08 .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 000803FC .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00080804 .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 000801F8 .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2952] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[3192] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3192] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3192] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3192] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00140A08 .text C:\Windows\system32\SearchIndexer.exe[3192] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001403FC .text C:\Windows\system32\SearchIndexer.exe[3192] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00140804 .text C:\Windows\system32\SearchIndexer.exe[3192] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001401F8 .text C:\Windows\system32\SearchIndexer.exe[3192] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00140600 .text C:\Windows\system32\WUDFHost.exe[3456] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Windows\system32\WUDFHost.exe[3456] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Windows\system32\WUDFHost.exe[3456] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00190A08 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001903FC .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00190804 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001901F8 .text C:\Windows\system32\WUDFHost.exe[3456] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00190600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] ntdll.dll!LdrUnloadDll 779BBD1F 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] ntdll.dll!LdrLoadDll 779BF425 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] kernel32.dll!GetBinaryTypeW + 70 761678FC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] USER32.dll!UnhookWindowsHookEx 75FFCC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] USER32.dll!UnhookWinEvent 75FFD924 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] USER32.dll!SetWindowsHookExW 7600210A 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] USER32.dll!SetWinEventHook 7600507E 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3908] USER32.dll!SetWindowsHookExA 76026DFA 5 Bytes JMP 00100600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1284] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7241F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[1972] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7241F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----