GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-28 20:32:25 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD322HJ rev.1AC01118 Running: yokgcomr.exe; Driver: C:\Users\Szef\AppData\Local\Temp\aflcraob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8F04B9CA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8F726A68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8F04DEAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8F04DF04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8F04E01A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8F04DE02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8F04DF54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8F04DE56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8F04DFC8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8F04B9EE] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8F726B18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8F04B7B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8F04BA12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8F04E412] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8F04C4AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8F04DEDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8F04DF2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8F04E044] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8F04DE2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8F04DF94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8F04DE84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8F04DFF2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8F726BB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8F04C370] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8F04BA36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8F04BA5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8F04B812] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8F04B94E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8F04B92A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8F04B972] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8F04BA7E] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8F73B8DE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A91599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 82ABD724 4 Bytes [CA, B9, 04, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82ABD74C 4 Bytes [68, 6A, 72, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 82ABD800 8 Bytes [AC, DE, 04, 8F, 04, DF, 04, ...] {LODSB ; FIADD WORD [EDI+ECX*4]; ADD AL, 0xdf; ADD AL, 0x8f} .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 82ABD80C 4 Bytes [1A, E0, 04, 8F] {SBB AH, AL; ADD AL, 0x8f} .text ntkrnlpa.exe!RtlSidHashLookup + 318 82ABD828 4 Bytes [02, DE, 04, 8F] {ADD BL, DH; ADD AL, 0x8f} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C56FBF 5 Bytes JMP 8F73729E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82C70CF3 5 Bytes JMP 8F738D50 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82CBB17A 4 Bytes CALL 8F04CE3B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82CC3255 4 Bytes CALL 8F04CE51 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D28EAC 7 Bytes JMP 8F73B8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9043D000, 0x2D5378, 0xE8000020] PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9FA38000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9FA38123 629 Bytes [35, A3, 9F, FE, 05, 34, 35, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 9FA38399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F 9FA383FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B 9FA384AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... .text user32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00210120 .text user32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0021006C .text user32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 002100E4 .text user32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00210030 .text user32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 002100A8 ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[332] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[332] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[332] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00180120 .text C:\Windows\system32\svchost.exe[332] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0018006C .text C:\Windows\system32\svchost.exe[332] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001800E4 .text C:\Windows\system32\svchost.exe[332] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00180030 .text C:\Windows\system32\svchost.exe[332] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001800A8 .text C:\Windows\system32\wininit.exe[460] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0003006C .text C:\Windows\system32\wininit.exe[460] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00030030 .text C:\Windows\system32\wininit.exe[460] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 000C0120 .text C:\Windows\system32\wininit.exe[460] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 000C006C .text C:\Windows\system32\wininit.exe[460] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 000C00E4 .text C:\Windows\system32\wininit.exe[460] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 000C0030 .text C:\Windows\system32\wininit.exe[460] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 000C00A8 .text C:\Windows\system32\services.exe[508] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 000A006C .text C:\Windows\system32\services.exe[508] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 000A0030 .text C:\Windows\system32\lsass.exe[524] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\lsass.exe[524] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\lsass.exe[524] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00200120 .text C:\Windows\system32\lsass.exe[524] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0020006C .text C:\Windows\system32\lsass.exe[524] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 002000E4 .text C:\Windows\system32\lsass.exe[524] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00200030 .text C:\Windows\system32\lsass.exe[524] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 002000A8 .text C:\Windows\system32\lsm.exe[532] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\lsm.exe[532] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\winlogon.exe[572] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0003006C .text C:\Windows\system32\winlogon.exe[572] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00030030 .text C:\Windows\system32\winlogon.exe[572] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00050120 .text C:\Windows\system32\winlogon.exe[572] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0005006C .text C:\Windows\system32\winlogon.exe[572] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 000500E4 .text C:\Windows\system32\winlogon.exe[572] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00050030 .text C:\Windows\system32\winlogon.exe[572] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 000500A8 .text C:\Windows\system32\svchost.exe[684] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[684] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[776] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[776] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\atiesrxx.exe[824] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0016006C .text C:\Windows\system32\atiesrxx.exe[824] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00160030 .text C:\Windows\system32\atiesrxx.exe[824] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 001F0120 .text C:\Windows\system32\atiesrxx.exe[824] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 001F006C .text C:\Windows\system32\atiesrxx.exe[824] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001F00E4 .text C:\Windows\system32\atiesrxx.exe[824] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 001F0030 .text C:\Windows\system32\atiesrxx.exe[824] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001F00A8 .text C:\Windows\System32\svchost.exe[916] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[916] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\System32\svchost.exe[916] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00550120 .text C:\Windows\System32\svchost.exe[916] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0055006C .text C:\Windows\System32\svchost.exe[916] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 005500E4 .text C:\Windows\System32\svchost.exe[916] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00550030 .text C:\Windows\System32\svchost.exe[916] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 005500A8 .text C:\Windows\System32\svchost.exe[952] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[952] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\System32\svchost.exe[952] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 008C0120 .text C:\Windows\System32\svchost.exe[952] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 008C006C .text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 008C00E4 .text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 008C0030 .text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 008C00A8 .text C:\Windows\system32\svchost.exe[980] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[980] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[980] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00A00120 .text C:\Windows\system32\svchost.exe[980] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 00A0006C .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 00A000E4 .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00A00030 .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 00A000A8 .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00E40120 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 00E4006C .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 00E400E4 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00E40030 .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 00E400A8 .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 000A006C .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 000A0030 .text C:\Windows\system32\svchost.exe[1144] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 008E0120 .text C:\Windows\system32\svchost.exe[1144] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 008E006C .text C:\Windows\system32\svchost.exe[1144] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 008E00E4 .text C:\Windows\system32\svchost.exe[1144] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 008E0030 .text C:\Windows\system32\svchost.exe[1144] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 008E00A8 .text C:\Windows\system32\atieclxx.exe[1232] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0016006C .text C:\Windows\system32\atieclxx.exe[1232] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00160030 .text C:\Windows\system32\atieclxx.exe[1232] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 001F0120 .text C:\Windows\system32\atieclxx.exe[1232] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 001F006C .text C:\Windows\system32\atieclxx.exe[1232] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001F00E4 .text C:\Windows\system32\atieclxx.exe[1232] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 001F0030 .text C:\Windows\system32\atieclxx.exe[1232] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001F00A8 .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00A00120 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 00A0006C .text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 00A000E4 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00A00030 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 00A000A8 .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1404] kernel32.dll!SetUnhandledExceptionFilter 764B3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Windows\system32\taskhost.exe[1532] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0009006C .text C:\Windows\system32\taskhost.exe[1532] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00090030 .text C:\Windows\system32\taskhost.exe[1532] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00120120 .text C:\Windows\system32\taskhost.exe[1532] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0012006C .text C:\Windows\system32\taskhost.exe[1532] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001200E4 .text C:\Windows\system32\taskhost.exe[1532] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00120030 .text C:\Windows\system32\taskhost.exe[1532] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001200A8 .text C:\Windows\system32\Dwm.exe[1560] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\Dwm.exe[1560] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\Dwm.exe[1560] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00130120 .text C:\Windows\system32\Dwm.exe[1560] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0013006C .text C:\Windows\system32\Dwm.exe[1560] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001300E4 .text C:\Windows\system32\Dwm.exe[1560] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00130030 .text C:\Windows\system32\Dwm.exe[1560] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001300A8 .text C:\Windows\Explorer.EXE[1584] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 000A006C .text C:\Windows\Explorer.EXE[1584] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 000A0030 .text C:\Windows\Explorer.EXE[1584] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00250120 .text C:\Windows\Explorer.EXE[1584] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0025006C .text C:\Windows\Explorer.EXE[1584] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 002500E4 .text C:\Windows\Explorer.EXE[1584] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00250030 .text C:\Windows\Explorer.EXE[1584] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 002500A8 .text C:\Windows\System32\svchost.exe[1748] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[1748] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 02170120 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0217006C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 021700E4 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 02170030 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1828] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 021700A8 .text C:\Program Files\uTorrent\uTorrent.exe[1872] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0034006C .text C:\Program Files\uTorrent\uTorrent.exe[1872] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00340030 .text C:\Program Files\uTorrent\uTorrent.exe[1872] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 003E0120 .text C:\Program Files\uTorrent\uTorrent.exe[1872] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 003E006C .text C:\Program Files\uTorrent\uTorrent.exe[1872] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 003E00E4 .text C:\Program Files\uTorrent\uTorrent.exe[1872] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 003E0030 .text C:\Program Files\uTorrent\uTorrent.exe[1872] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 003E00A8 .text C:\Windows\System32\spoolsv.exe[2028] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\spoolsv.exe[2028] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\System32\spoolsv.exe[2028] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00100120 .text C:\Windows\System32\spoolsv.exe[2028] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0010006C .text C:\Windows\System32\spoolsv.exe[2028] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001000E4 .text C:\Windows\System32\spoolsv.exe[2028] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00100030 .text C:\Windows\System32\spoolsv.exe[2028] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001000A8 .text C:\Windows\system32\SearchProtocolHost.exe[2100] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0005006C .text C:\Windows\system32\SearchProtocolHost.exe[2100] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00050030 .text C:\Windows\system32\SearchProtocolHost.exe[2100] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 000F0120 .text C:\Windows\system32\SearchProtocolHost.exe[2100] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 000F006C .text C:\Windows\system32\SearchProtocolHost.exe[2100] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 000F00E4 .text C:\Windows\system32\SearchProtocolHost.exe[2100] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 000F0030 .text C:\Windows\system32\SearchProtocolHost.exe[2100] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 000F00A8 .text C:\Windows\system32\wbem\wmiprvse.exe[2192] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\wbem\wmiprvse.exe[2192] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\wbem\wmiprvse.exe[2192] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00100120 .text C:\Windows\system32\wbem\wmiprvse.exe[2192] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0010006C .text C:\Windows\system32\wbem\wmiprvse.exe[2192] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001000E4 .text C:\Windows\system32\wbem\wmiprvse.exe[2192] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00100030 .text C:\Windows\system32\wbem\wmiprvse.exe[2192] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001000A8 .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0016006C .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00160030 .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00210120 .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0021006C .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 002100E4 .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00210030 .text C:\Users\Szef\Downloads\yokgcomr.exe[2264] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 002100A8 .text C:\Windows\system32\WUDFHost.exe[2328] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\WUDFHost.exe[2328] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\WUDFHost.exe[2328] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00100120 .text C:\Windows\system32\WUDFHost.exe[2328] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0010006C .text C:\Windows\system32\WUDFHost.exe[2328] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001000E4 .text C:\Windows\system32\WUDFHost.exe[2328] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00100030 .text C:\Windows\system32\WUDFHost.exe[2328] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001000A8 .text C:\Windows\servicing\TrustedInstaller.exe[2348] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0005006C .text C:\Windows\servicing\TrustedInstaller.exe[2348] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00050030 .text C:\Windows\servicing\TrustedInstaller.exe[2348] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00080120 .text C:\Windows\servicing\TrustedInstaller.exe[2348] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0008006C .text C:\Windows\servicing\TrustedInstaller.exe[2348] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 000800E4 .text C:\Windows\servicing\TrustedInstaller.exe[2348] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00080030 .text C:\Windows\servicing\TrustedInstaller.exe[2348] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 000800A8 .text C:\Windows\system32\wuauclt.exe[2464] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0007006C .text C:\Windows\system32\wuauclt.exe[2464] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00070030 .text C:\Windows\system32\wuauclt.exe[2464] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00100120 .text C:\Windows\system32\wuauclt.exe[2464] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0010006C .text C:\Windows\system32\wuauclt.exe[2464] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001000E4 .text C:\Windows\system32\wuauclt.exe[2464] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00100030 .text C:\Windows\system32\wuauclt.exe[2464] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001000A8 .text C:\Windows\system32\SearchIndexer.exe[2552] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\SearchIndexer.exe[2552] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\SearchIndexer.exe[2552] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00100120 .text C:\Windows\system32\SearchIndexer.exe[2552] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0010006C .text C:\Windows\system32\SearchIndexer.exe[2552] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001000E4 .text C:\Windows\system32\SearchIndexer.exe[2552] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00100030 .text C:\Windows\system32\SearchIndexer.exe[2552] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001000A8 .text C:\Windows\system32\taskhost.exe[2652] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0005006C .text C:\Windows\system32\taskhost.exe[2652] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00050030 .text C:\Windows\system32\taskhost.exe[2652] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 000E0120 .text C:\Windows\system32\taskhost.exe[2652] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 000E006C .text C:\Windows\system32\taskhost.exe[2652] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 000E00E4 .text C:\Windows\system32\taskhost.exe[2652] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 000E0030 .text C:\Windows\system32\taskhost.exe[2652] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 000E00A8 .text C:\Windows\system32\SearchProtocolHost.exe[2708] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0005006C .text C:\Windows\system32\SearchProtocolHost.exe[2708] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00050030 .text C:\Windows\system32\SearchProtocolHost.exe[2708] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00160120 .text C:\Windows\system32\SearchProtocolHost.exe[2708] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0016006C .text C:\Windows\system32\SearchProtocolHost.exe[2708] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001600E4 .text C:\Windows\system32\SearchProtocolHost.exe[2708] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00160030 .text C:\Windows\system32\SearchProtocolHost.exe[2708] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001600A8 .text C:\Windows\system32\sppsvc.exe[3016] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0007006C .text C:\Windows\system32\sppsvc.exe[3016] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00070030 .text C:\Windows\system32\sppsvc.exe[3016] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00110120 .text C:\Windows\system32\sppsvc.exe[3016] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0011006C .text C:\Windows\system32\sppsvc.exe[3016] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001100E4 .text C:\Windows\system32\sppsvc.exe[3016] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00110030 .text C:\Windows\system32\sppsvc.exe[3016] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001100A8 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00200120 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0020006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 002000E4 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00200030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3044] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 002000A8 .text C:\Windows\System32\svchost.exe[3052] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[3052] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\System32\svchost.exe[3052] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00190120 .text C:\Windows\System32\svchost.exe[3052] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0019006C .text C:\Windows\System32\svchost.exe[3052] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001900E4 .text C:\Windows\System32\svchost.exe[3052] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00190030 .text C:\Windows\System32\svchost.exe[3052] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001900A8 .text C:\Windows\system32\vssvc.exe[3240] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\vssvc.exe[3240] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\vssvc.exe[3240] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00140120 .text C:\Windows\system32\vssvc.exe[3240] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0014006C .text C:\Windows\system32\vssvc.exe[3240] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001400E4 .text C:\Windows\system32\vssvc.exe[3240] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00140030 .text C:\Windows\system32\vssvc.exe[3240] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001400A8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00240120 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0024006C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 002400E4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00240030 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 002400A8 .text C:\Windows\System32\svchost.exe[3620] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 000A006C .text C:\Windows\System32\svchost.exe[3620] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 000A0030 .text C:\Windows\System32\svchost.exe[3620] user32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 003B0120 .text C:\Windows\System32\svchost.exe[3620] user32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 003B006C .text C:\Windows\System32\svchost.exe[3620] user32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 003B00E4 .text C:\Windows\System32\svchost.exe[3620] user32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 003B0030 .text C:\Windows\System32\svchost.exe[3620] user32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 003B00A8 .text C:\Windows\system32\SearchFilterHost.exe[3720] ntdll.dll!LdrUnloadDll 777CBF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\SearchFilterHost.exe[3720] ntdll.dll!LdrLoadDll 777CF625 5 Bytes JMP 00060030 .text C:\Windows\system32\SearchFilterHost.exe[3720] USER32.dll!UnhookWindowsHookEx 75FCCC7B 5 Bytes JMP 00100120 .text C:\Windows\system32\SearchFilterHost.exe[3720] USER32.dll!UnhookWinEvent 75FCD924 5 Bytes JMP 0010006C .text C:\Windows\system32\SearchFilterHost.exe[3720] USER32.dll!SetWindowsHookExW 75FD210A 5 Bytes JMP 001000E4 .text C:\Windows\system32\SearchFilterHost.exe[3720] USER32.dll!SetWinEventHook 75FD507E 5 Bytes JMP 00100030 .text C:\Windows\system32\SearchFilterHost.exe[3720] USER32.dll!SetWindowsHookExA 75FF6DFA 5 Bytes JMP 001000A8 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74542494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74525624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7454250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74538573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74534D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74538819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7453907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7453E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74534C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Services - GMER 1.0.15 ---- Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0x31 0xCE 0xCB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0x31 0xCE 0xCB ... ---- EOF - GMER 1.0.15 ----