GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2013-01-03 18:03:39 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000096 SAMSUNG_ rev.1AG0 Running: gmer.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\pxldrpod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8FA3F708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x90A467C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8FA4011C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8FA4AF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8FA4AF74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8FA4B0F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8FA4AE96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x90A46BBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8FA4AEDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8FA40310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8FA40498] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8FA4B0B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8FA40A9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8FA3F756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x90A468AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8FA3F3BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8FA3F7A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8FA44456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8FA41464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8FA4AF52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8FA4AF96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8FA4B11A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8FA4AEBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8FA4B03A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8FA4AF06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8FA4B0D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x90A46A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8FA41330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8FA4106C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8FA3F7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8FA3F840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8FA4091C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8FA3F448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8FA3F5F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8FA3F59E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8FA40BFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8FA40D5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8FA3F668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x90A46AF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8FA40794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8FA3F88E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x90A46962] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x90A5E966] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8305CA49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830964D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 8309D500 4 Bytes [08, F7, A3, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 8309D528 4 Bytes [C8, 67, A4, 90] {ENTER 0xa467, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 8309D588 4 Bytes [1C, 01, A4, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 8309D5DC 8 Bytes [28, AF, A4, 8F, 74, AF, A4, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 8309D5E8 4 Bytes [F6, B0, A4, 8F] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8322BC88 5 Bytes JMP 90A5B806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 832442B0 5 Bytes JMP 90A5D338 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 832593F7 4 Bytes CALL 8FA41B07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8327320E 4 Bytes CALL 8FA41B1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 832FD10E 7 Bytes JMP 90A5E96A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9DB6E300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9DBB1300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[336] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[336] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[336] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[440] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[500] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[508] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1284] kernel32.dll!SetUnhandledExceptionFilter 76D6F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1284] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1484] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1796] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1884] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1884] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1884] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\lxeacoms.exe[1908] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Windows\system32\lxeacoms.exe[1908] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\lxeacoms.exe[1908] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\lxeacoms.exe[1908] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\lxeacoms.exe[1908] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\lxeacoms.exe[1908] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\lxeacoms.exe[1908] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\lxeacoms.exe[1908] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 001F0600 .text C:\Windows\Explorer.EXE[1980] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[1980] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[1980] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\Explorer.EXE[1980] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 000A0A08 .text C:\Windows\Explorer.EXE[1980] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 000A03FC .text C:\Windows\Explorer.EXE[1980] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 000A0804 .text C:\Windows\Explorer.EXE[1980] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 000A01F8 .text C:\Windows\Explorer.EXE[1980] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 000A0600 .text C:\Windows\system32\Dwm.exe[1984] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[1984] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[1984] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1984] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[1984] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[1984] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[1984] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[1984] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 000F0600 .text C:\Windows\system32\taskhost.exe[2008] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2008] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2008] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2008] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskhost.exe[2008] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 000703FC .text C:\Windows\system32\taskhost.exe[2008] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00070804 .text C:\Windows\system32\taskhost.exe[2008] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskhost.exe[2008] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00070600 .text C:\Windows\System32\WUDFHost.exe[2124] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000A03FC .text C:\Windows\System32\WUDFHost.exe[2124] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000A01F8 .text C:\Windows\System32\WUDFHost.exe[2124] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[2124] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\WUDFHost.exe[2124] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001403FC .text C:\Windows\System32\WUDFHost.exe[2124] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\WUDFHost.exe[2124] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\WUDFHost.exe[2124] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00140600 .text C:\Users\Przemek\Desktop\gmer.exe[2320] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Users\Przemek\Desktop\gmer.exe[2320] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Users\Przemek\Desktop\gmer.exe[2320] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Users\Przemek\Desktop\gmer.exe[2320] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00210A08 .text C:\Users\Przemek\Desktop\gmer.exe[2320] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 002103FC .text C:\Users\Przemek\Desktop\gmer.exe[2320] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00210804 .text C:\Users\Przemek\Desktop\gmer.exe[2320] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 002101F8 .text C:\Users\Przemek\Desktop\gmer.exe[2320] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00210600 .text C:\Windows\system32\AUDIODG.EXE[2412] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\notepad.exe[2668] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Windows\notepad.exe[2668] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Windows\notepad.exe[2668] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\notepad.exe[2668] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00100A08 .text C:\Windows\notepad.exe[2668] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001003FC .text C:\Windows\notepad.exe[2668] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00100804 .text C:\Windows\notepad.exe[2668] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001001F8 .text C:\Windows\notepad.exe[2668] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00100600 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001503FC .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001501F8 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] user32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 001E0A08 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] user32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001E03FC .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] user32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 001E0804 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] user32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001E01F8 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[2736] user32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 001E0600 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001F03FC .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2748] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00790A08 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 007903FC .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00790804 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 007901F8 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2760] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00790600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2768] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Vtune\TBPANEL.exe[2796] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Program Files\Vtune\TBPANEL.exe[2796] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Program Files\Vtune\TBPANEL.exe[2796] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Vtune\TBPANEL.exe[2796] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Vtune\TBPANEL.exe[2796] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 002F03FC .text C:\Program Files\Vtune\TBPANEL.exe[2796] USER32.dll!SetWindowsHookExW 75A3E30C 3 Bytes JMP 002F0804 .text C:\Program Files\Vtune\TBPANEL.exe[2796] USER32.dll!SetWindowsHookExW + 4 75A3E310 1 Byte [8A] .text C:\Program Files\Vtune\TBPANEL.exe[2796] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Vtune\TBPANEL.exe[2796] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 002F0600 .text C:\Program Files\RocketDock\RocketDock.exe[2824] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Program Files\RocketDock\RocketDock.exe[2824] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Program Files\RocketDock\RocketDock.exe[2824] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\RocketDock\RocketDock.exe[2824] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\RocketDock\RocketDock.exe[2824] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001F03FC .text C:\Program Files\RocketDock\RocketDock.exe[2824] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 001F0804 .text C:\Program Files\RocketDock\RocketDock.exe[2824] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\RocketDock\RocketDock.exe[2824] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001703FC .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001701F8 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 002003FC .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00200804 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 002001F8 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00200600 .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00120A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001203FC .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00120804 .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001201F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2936] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00120600 .text C:\Program Files\screenSHU\screenSHU.exe[2992] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 002503FC .text C:\Program Files\screenSHU\screenSHU.exe[2992] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 002501F8 .text C:\Program Files\screenSHU\screenSHU.exe[2992] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\screenSHU\screenSHU.exe[2992] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 002E0A08 .text C:\Program Files\screenSHU\screenSHU.exe[2992] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 002E03FC .text C:\Program Files\screenSHU\screenSHU.exe[2992] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 002E0804 .text C:\Program Files\screenSHU\screenSHU.exe[2992] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 002E01F8 .text C:\Program Files\screenSHU\screenSHU.exe[2992] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 002E0600 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001703FC .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001701F8 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00350A08 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 003503FC .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00350804 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 003501F8 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00350600 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001603FC .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001601F8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001F03FC .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 001F0804 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001F01F8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3384] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Launchy\Launchy.exe[3432] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 001703FC .text C:\Program Files\Launchy\Launchy.exe[3432] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 001701F8 .text C:\Program Files\Launchy\Launchy.exe[3432] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Program Files\Launchy\Launchy.exe[3432] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00230A08 .text C:\Program Files\Launchy\Launchy.exe[3432] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 002303FC .text C:\Program Files\Launchy\Launchy.exe[3432] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00230804 .text C:\Program Files\Launchy\Launchy.exe[3432] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 002301F8 .text C:\Program Files\Launchy\Launchy.exe[3432] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00230600 .text C:\Windows\system32\wbem\wmiprvse.exe[3500] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[3500] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3500] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3500] USER32.dll!UnhookWindowsHookEx 75A3ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3500] USER32.dll!UnhookWinEvent 75A3B750 5 Bytes JMP 001003FC .text C:\Windows\system32\wbem\wmiprvse.exe[3500] USER32.dll!SetWindowsHookExW 75A3E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\wbem\wmiprvse.exe[3500] USER32.dll!SetWinEventHook 75A424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3500] USER32.dll!SetWindowsHookExA 75A66D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[3504] ntdll.dll!LdrUnloadDll 775FC86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[3504] ntdll.dll!LdrLoadDll 7760223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[3504] kernel32.dll!GetBinaryTypeW + 70 76D869F4 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1284] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73A6F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741324CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7411562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741156EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74132546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741285AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74124D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74125105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741251DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74126707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74128301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74128850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741290B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7412E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1980] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74124C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2768] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73A6F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2920] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[3000] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[3432] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[3432] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[3432] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[3432] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[3432] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7563FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000081 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x49 0x13 0x89 0x8D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x10 0xAC 0x26 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0C 0x9D 0xB8 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x72 0xA4 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7bfdc5e??????????? Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x49 0x13 0x89 0x8D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x10 0xAC 0x26 0xE2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0C 0x9D 0xB8 0x43 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x72 0xA4 0x2B ... Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7bfdc5e??????????? Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 ---- EOF - GMER 1.0.15 ----