GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-25 21:54:01 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932042 rev.0004 Running: dkeqhoct.exe; Driver: C:\DOCUME~1\jaro\LOCALS~1\Temp\fwroypog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0x9A964CF0] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9E096AE] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9DE7A96] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9DE7D5E] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9E0A04C] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9E0A3D6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0x9A964782] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9E088EC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0x9A9646C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0x9A964726] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0x9A964DA6] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9E0A91A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0x9A964D66] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9E09A50] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9DE7506] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9A9719D2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x9A971B0C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP 9A971B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP 9A9719D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP 9A96D5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP 9A96EFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) init C:\WINDOWS\system32\Drivers\OEM13Afx.sys entry point in "init" section [0xA12B0310] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x9A44C400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9A4EE420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9A4EE420] .protect˙˙˙˙hardlockunknown last code section [0x9A4EE200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x9A4EE200, 0x5049, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\ctfmon.exe[320] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D90001 .text C:\WINDOWS\system32\ctfmon.exe[320] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\WINDOWS\system32\ctfmon.exe[320] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\ctfmon.exe[320] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[320] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[320] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018B0001 .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[388] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 719C0F5A .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[388] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[388] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[388] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [9E, 71] .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[388] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71990F5A .text C:\Program Files\DellTPad\HidFind.exe[496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D60001 .text C:\Program Files\DellTPad\HidFind.exe[496] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\DellTPad\HidFind.exe[496] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\DellTPad\HidFind.exe[496] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\DellTPad\HidFind.exe[496] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\DellTPad\HidFind.exe[496] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe[500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01440001 .text C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe[500] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe[500] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe[500] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe[500] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe[500] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[680] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\DellTPad\Apntex.exe[1056] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01180001 .text C:\Program Files\DellTPad\Apntex.exe[1056] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\DellTPad\Apntex.exe[1056] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\DellTPad\Apntex.exe[1056] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\DellTPad\Apntex.exe[1056] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\DellTPad\Apntex.exe[1056] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1244] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01BB0001 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1244] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A20F5A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1244] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1244] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1244] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A4, 71] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1244] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 719F0F5A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1344] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1344] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1344] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1344] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[1344] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01930001 .text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1456] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 719C0F5A .text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1456] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1456] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1456] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [9E, 71] .text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1456] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71990F5A .text C:\Program Files\PC Tools Security\pctsSvc.exe[2180] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044BEE1 C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools Security Service/PC Tools) .text C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe[2844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001 .text C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe[2844] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A60F5A .text C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe[2844] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AF0F5A .text C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe[2844] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe[2844] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A8, 71] {TEST AL, 0x71} .text C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe[2844] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A30F5A .text C:\Program Files\PC Tools Security\pctsGui.exe[2944] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044BB95 C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools GUI Application/PC Tools) .text C:\Program Files\DellTPad\Apoint.exe[3252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01390001 .text C:\Program Files\DellTPad\Apoint.exe[3252] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\DellTPad\Apoint.exe[3252] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\DellTPad\Apoint.exe[3252] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\DellTPad\Apoint.exe[3252] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\DellTPad\Apoint.exe[3252] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\IDT\WDM\sttray.exe[3268] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F80001 .text C:\Program Files\IDT\WDM\sttray.exe[3268] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\IDT\WDM\sttray.exe[3268] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\IDT\WDM\sttray.exe[3268] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\IDT\WDM\sttray.exe[3268] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\IDT\WDM\sttray.exe[3268] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\AESTFltr.exe[3288] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FE0001 .text C:\WINDOWS\system32\AESTFltr.exe[3288] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\WINDOWS\system32\AESTFltr.exe[3288] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\AESTFltr.exe[3288] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\AESTFltr.exe[3288] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\WINDOWS\system32\AESTFltr.exe[3288] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\igfxtray.exe[3296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018A0001 .text C:\WINDOWS\system32\igfxtray.exe[3296] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\WINDOWS\system32\igfxtray.exe[3296] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\igfxtray.exe[3296] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxtray.exe[3296] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxtray.exe[3296] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\hkcmd.exe[3320] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013D0001 .text C:\WINDOWS\system32\hkcmd.exe[3320] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\WINDOWS\system32\hkcmd.exe[3320] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\hkcmd.exe[3320] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\hkcmd.exe[3320] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\WINDOWS\system32\hkcmd.exe[3320] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\igfxpers.exe[3336] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01350001 .text C:\WINDOWS\system32\igfxpers.exe[3336] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\WINDOWS\system32\igfxpers.exe[3336] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\igfxpers.exe[3336] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxpers.exe[3336] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxpers.exe[3336] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe[3376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01470001 .text C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe[3376] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe[3376] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe[3376] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe[3376] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe[3376] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\igfxsrvc.exe[3416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01630001 .text C:\WINDOWS\system32\igfxsrvc.exe[3416] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\WINDOWS\system32\igfxsrvc.exe[3416] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\igfxsrvc.exe[3416] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxsrvc.exe[3416] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxsrvc.exe[3416] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\WLTRAY.exe[3444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 017A0001 .text C:\WINDOWS\system32\WLTRAY.exe[3444] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A20F5A .text C:\WINDOWS\system32\WLTRAY.exe[3444] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\WINDOWS\system32\WLTRAY.exe[3444] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WLTRAY.exe[3444] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A4, 71] .text C:\WINDOWS\system32\WLTRAY.exe[3444] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 719F0F5A .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B80001 .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3452] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A20F5A .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3452] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3452] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3452] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A4, 71] .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3452] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 719F0F5A .text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02CF0001 .text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3472] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A20F5A .text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3472] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3472] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3472] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A4, 71] .text C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[3472] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 719F0F5A .text C:\Program Files\USB Product Driver v2.16r002\shwicon.exe[3500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DA0001 .text C:\Program Files\USB Product Driver v2.16r002\shwicon.exe[3500] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\USB Product Driver v2.16r002\shwicon.exe[3500] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\USB Product Driver v2.16r002\shwicon.exe[3500] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\USB Product Driver v2.16r002\shwicon.exe[3500] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\USB Product Driver v2.16r002\shwicon.exe[3500] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[3528] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D80001 .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[3528] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[3528] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[3528] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[3528] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[3528] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3552] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3552] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3552] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3552] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3552] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03670001 .text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3704] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A10F5A .text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3704] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3704] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3704] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A3, 71] .text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3704] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 719E0F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F30001 .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3760] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3760] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3760] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3760] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3760] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\DellTPad\ApMsgFwd.exe[3924] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EA0001 .text C:\Program Files\DellTPad\ApMsgFwd.exe[3924] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\DellTPad\ApMsgFwd.exe[3924] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\DellTPad\ApMsgFwd.exe[3924] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\DellTPad\ApMsgFwd.exe[3924] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\DellTPad\ApMsgFwd.exe[3924] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Program Files\MemStat XP\MemStat.exe[3932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 011B0001 .text C:\Program Files\MemStat XP\MemStat.exe[3932] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A50F5A .text C:\Program Files\MemStat XP\MemStat.exe[3932] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AE0F5A .text C:\Program Files\MemStat XP\MemStat.exe[3932] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\MemStat XP\MemStat.exe[3932] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A7, 71] .text C:\Program Files\MemStat XP\MemStat.exe[3932] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A20F5A .text C:\Documents and Settings\jaro\Dokumenty\Pobieranie\viri-logi-testy\dkeqhoct.exe[4484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001 .text C:\Documents and Settings\jaro\Dokumenty\Pobieranie\viri-logi-testy\dkeqhoct.exe[4484] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A60F5A .text C:\Documents and Settings\jaro\Dokumenty\Pobieranie\viri-logi-testy\dkeqhoct.exe[4484] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AF0F5A .text C:\Documents and Settings\jaro\Dokumenty\Pobieranie\viri-logi-testy\dkeqhoct.exe[4484] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\jaro\Dokumenty\Pobieranie\viri-logi-testy\dkeqhoct.exe[4484] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A8, 71] {TEST AL, 0x71} .text C:\Documents and Settings\jaro\Dokumenty\Pobieranie\viri-logi-testy\dkeqhoct.exe[4484] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A30F5A .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B00001 .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32604F4E C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A60F5A .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AF0F5A .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A8, 71] {TEST AL, 0x71} .text C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE[5732] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 71A30F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010A0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] USER32.dll!ChangeDisplaySettingsExA 7E37384E 6 Bytes JMP 71A20F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] USER32.dll!SetForegroundWindow 7E3742ED 6 Bytes JMP 71AF0F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] USER32.dll!SetWindowPos 7E3799F3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] USER32.dll!SetWindowPos + 4 7E3799F7 2 Bytes [A4, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[6120] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 6 Bytes JMP 719F0F5A ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[1540] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1540] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device aswSP.SYS (avast! self protection module/AVAST Software) Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device ftdisk.sys (FT Disk Driver/Microsoft Corporation) Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys (UM Injection Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----