GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-19 14:21:08 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000091 SAMSUNG_ rev.1AG0 Running: pqp7tl1z.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\pxldrpod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8F651202] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x900F9D8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8F6537F0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8F653848] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8F65395E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8F653746] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8F653898] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8F65379A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8F65390C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8F651226] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x900F9E3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8F650FF0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8F65124A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8F653D56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8F651CDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8F653820] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8F653870] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8F653988] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8F653772] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8F6538D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8F6537C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8F653936] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x900F9ED4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8F651BA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8F65126E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8F651292] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8F65104A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8F651186] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8F651162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8F6511AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8F6512B6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9010F398] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82E87349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82EC7D80 4 Bytes [02, 12, 65, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82EC7DA8 4 Bytes [8C, 9D, 0F, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82EC7E5C 8 Bytes [F0, 37, 65, 8F, 48, 38, 65, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82EC7E68 4 Bytes [5E, 39, 65, 8F] {POP ESI; CMP [EBP-0x71], ESP} .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82EC7E84 4 Bytes [46, 37, 65, 8F] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83054BE8 5 Bytes JMP 9010AD4C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 8306D1B8 5 Bytes JMP 9010C80A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 830822FF 4 Bytes CALL 8F65234B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8309C0D1 4 Bytes CALL 8F652361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 83125F10 7 Bytes JMP 9010F39C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngFntCacheLookUp + 8B2E 996A0205 5 Bytes JMP 8F654316 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateRectRgn + 3819 996B42CA 5 Bytes JMP 8F654440 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 310 996D0550 5 Bytes JMP 8F654BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 4C63 996D4EA3 5 Bytes JMP 8F653F34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 60B0 996D62F0 5 Bytes JMP 8F654E0C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 650 996F51C5 5 Bytes JMP 8F653D8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 38FE 996F8473 5 Bytes JMP 8F653E58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 39BC 996F8531 5 Bytes JMP 8F653E70 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwnedByCurrentThread + 1EF5 996FCBB7 5 Bytes JMP 8F654326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 2AB5 99706588 5 Bytes JMP 8F654180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + AC45 9970E718 5 Bytes JMP 8F653FA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 14EF5 997189C8 5 Bytes JMP 8F654B64 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 4F28 9972FFDE 5 Bytes JMP 8F654BAE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 42AA 9973D991 5 Bytes JMP 8F655014 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnlockSurface + CC1C 99754BDB 5 Bytes JMP 8F654BF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteClip + 480C 99765A80 5 Bytes JMP 8F653EF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEqualRgn + 3F3D 997736B3 5 Bytes JMP 8F6540E8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEqualRgn + B185 9977A8FB 5 Bytes JMP 8F654ECA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteRgn + 2181 99791638 5 Bytes JMP 8F6540AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 84E0 997B22D9 5 Bytes JMP 8F654F72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 2EC6 997CA29F 5 Bytes JMP 8F654D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 3457 997CA830 5 Bytes JMP 8F654008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 968D 997D0A66 5 Bytes JMP 8F65403E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA002B300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA006E300, 0x1BEE, 0xE8000020] .text ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes [E9, 19, 3B, C2, 88] {JMP 0xffffffff88c23b1e} .text ntdll.dll!LdrLoadDll 775422B8 5 Bytes [E9, 3B, DF, C1, 88] {JMP 0xffffffff88c1df40} ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\PnkBstrA.exe[284] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001503FC .text C:\Windows\system32\PnkBstrA.exe[284] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001501F8 .text C:\Windows\system32\PnkBstrA.exe[284] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\PnkBstrA.exe[284] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\PnkBstrA.exe[284] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001E03FC .text C:\Windows\system32\PnkBstrA.exe[284] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\PnkBstrA.exe[284] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\PnkBstrA.exe[284] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 001E0600 .text C:\Windows\Explorer.EXE[312] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[312] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[312] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\Explorer.EXE[312] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 000A0A08 .text C:\Windows\Explorer.EXE[312] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 000A03FC .text C:\Windows\Explorer.EXE[312] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 000A0804 .text C:\Windows\Explorer.EXE[312] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 000A01F8 .text C:\Windows\Explorer.EXE[312] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 000A0600 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[444] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[444] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[444] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[444] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00150A08 .text C:\Windows\system32\wininit.exe[444] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001503FC .text C:\Windows\system32\wininit.exe[444] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00150804 .text C:\Windows\system32\wininit.exe[444] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001501F8 .text C:\Windows\system32\wininit.exe[444] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00150600 .text C:\Windows\system32\csrss.exe[452] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\services.exe[504] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[504] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[504] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[528] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[528] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[528] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[528] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[528] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[528] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[528] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[528] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[556] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsass.exe[556] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsass.exe[556] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\lsm.exe[564] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[564] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[564] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[680] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[680] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[680] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[780] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[780] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[836] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[836] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[836] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[836] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00210A08 .text C:\Windows\System32\svchost.exe[836] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002103FC .text C:\Windows\System32\svchost.exe[836] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00210804 .text C:\Windows\System32\svchost.exe[836] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002101F8 .text C:\Windows\System32\svchost.exe[836] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00210600 .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 006F0A08 .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 006F03FC .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 006F0804 .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 006F01F8 .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 006F0600 .text C:\Windows\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00710A08 .text C:\Windows\system32\svchost.exe[932] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 007103FC .text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00710804 .text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 007101F8 .text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00710600 .text C:\Windows\system32\AUDIODG.EXE[1008] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1064] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1064] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1064] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 005A0A08 .text C:\Windows\system32\svchost.exe[1064] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 005A03FC .text C:\Windows\system32\svchost.exe[1064] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 005A0804 .text C:\Windows\system32\svchost.exe[1064] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 005A01F8 .text C:\Windows\system32\svchost.exe[1064] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 005A0600 .text C:\Windows\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1164] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1164] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[1188] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[1188] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[1188] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[1188] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[1188] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[1188] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[1188] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[1188] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00100600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1232] kernel32.dll!SetUnhandledExceptionFilter 75BEF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1232] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\lxeacoms.exe[1312] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001603FC .text C:\Windows\system32\lxeacoms.exe[1312] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001601F8 .text C:\Windows\system32\lxeacoms.exe[1312] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\lxeacoms.exe[1312] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 002F0A08 .text C:\Windows\system32\lxeacoms.exe[1312] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002F03FC .text C:\Windows\system32\lxeacoms.exe[1312] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 002F0804 .text C:\Windows\system32\lxeacoms.exe[1312] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002F01F8 .text C:\Windows\system32\lxeacoms.exe[1312] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 002F0600 .text C:\Windows\System32\spoolsv.exe[1668] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1668] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1668] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1668] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\spoolsv.exe[1668] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001003FC .text C:\Windows\System32\spoolsv.exe[1668] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\spoolsv.exe[1668] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\spoolsv.exe[1668] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[1696] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1696] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1696] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1696] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 003E0A08 .text C:\Windows\system32\svchost.exe[1696] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 003E03FC .text C:\Windows\system32\svchost.exe[1696] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 003E0804 .text C:\Windows\system32\svchost.exe[1696] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 003E01F8 .text C:\Windows\system32\svchost.exe[1696] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 003E0600 .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001703FC .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001701F8 .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002103FC .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00210804 .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002101F8 .text C:\Program Files\Trust\GXT14 Mouse\GameMouseServiceApp.exe[1804] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00210600 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001503FC .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001501F8 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] user32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00170A08 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] user32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001703FC .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] user32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00170804 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] user32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001701F8 .text C:\Program Files\Trust\GXT14 Mouse\POINTERGHOST.exe[1836] user32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00170600 .text C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe[1840] KERNEL32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1968] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[1968] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[1968] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1968] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 000E0A08 .text C:\Windows\system32\taskhost.exe[1968] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 000E03FC .text C:\Windows\system32\taskhost.exe[1968] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 000E0804 .text C:\Windows\system32\taskhost.exe[1968] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 000E01F8 .text C:\Windows\system32\taskhost.exe[1968] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 000E0600 .text C:\Windows\system32\Dwm.exe[2036] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\Dwm.exe[2036] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\Dwm.exe[2036] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2036] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00130A08 .text C:\Windows\system32\Dwm.exe[2036] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001303FC .text C:\Windows\system32\Dwm.exe[2036] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00130804 .text C:\Windows\system32\Dwm.exe[2036] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001301F8 .text C:\Windows\system32\Dwm.exe[2036] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00130600 .text C:\Windows\system32\svchost.exe[2056] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2056] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2056] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[2064] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000703FC .text C:\Windows\system32\sppsvc.exe[2064] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000701F8 .text C:\Windows\system32\sppsvc.exe[2064] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[2064] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 000A0A08 .text C:\Windows\system32\sppsvc.exe[2064] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 000A03FC .text C:\Windows\system32\sppsvc.exe[2064] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 000A0804 .text C:\Windows\system32\sppsvc.exe[2064] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 000A01F8 .text C:\Windows\system32\sppsvc.exe[2064] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 000A0600 .text C:\Windows\system32\wbem\wmiprvse.exe[2196] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\wbem\wmiprvse.exe[2196] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\wbem\wmiprvse.exe[2196] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2196] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\wbem\wmiprvse.exe[2196] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001403FC .text C:\Windows\system32\wbem\wmiprvse.exe[2196] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\wbem\wmiprvse.exe[2196] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\wbem\wmiprvse.exe[2196] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00140600 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001603FC .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001601F8 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001F03FC .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[2212] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001603FC .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001601F8 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00470A08 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 004703FC .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00470804 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 004701F8 .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[2220] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00470600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2248] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Vtune\TBPANEL.exe[2412] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001603FC .text C:\Program Files\Vtune\TBPANEL.exe[2412] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001601F8 .text C:\Program Files\Vtune\TBPANEL.exe[2412] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Vtune\TBPANEL.exe[2412] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00190A08 .text C:\Program Files\Vtune\TBPANEL.exe[2412] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001903FC .text C:\Program Files\Vtune\TBPANEL.exe[2412] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00190804 .text C:\Program Files\Vtune\TBPANEL.exe[2412] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001901F8 .text C:\Program Files\Vtune\TBPANEL.exe[2412] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00190600 .text C:\Program Files\RocketDock\RocketDock.exe[2424] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001603FC .text C:\Program Files\RocketDock\RocketDock.exe[2424] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001601F8 .text C:\Program Files\RocketDock\RocketDock.exe[2424] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\RocketDock\RocketDock.exe[2424] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\RocketDock\RocketDock.exe[2424] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001F03FC .text C:\Program Files\RocketDock\RocketDock.exe[2424] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 001F0804 .text C:\Program Files\RocketDock\RocketDock.exe[2424] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001F01F8 .text C:\Program Files\RocketDock\RocketDock.exe[2424] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001703FC .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001701F8 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002003FC .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00200804 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002001F8 .text C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00200600 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001703FC .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001701F8 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00340A08 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 003403FC .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00340804 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 003401F8 .text C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00340600 .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 002503FC .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 002501F8 .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00270A08 .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002703FC .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00270804 .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002701F8 .text C:\Program Files\ScreenShooter\screenshooter.exe[2664] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00270600 .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 000A0A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 000A03FC .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 000A0804 .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 000A01F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2832] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 000A0600 .text C:\Program Files\Launchy\Launchy.exe[2864] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001703FC .text C:\Program Files\Launchy\Launchy.exe[2864] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001701F8 .text C:\Program Files\Launchy\Launchy.exe[2864] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Launchy\Launchy.exe[2864] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00230A08 .text C:\Program Files\Launchy\Launchy.exe[2864] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002303FC .text C:\Program Files\Launchy\Launchy.exe[2864] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00230804 .text C:\Program Files\Launchy\Launchy.exe[2864] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002301F8 .text C:\Program Files\Launchy\Launchy.exe[2864] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00230600 .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[3092] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3092] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3092] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00100600 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001703FC .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001701F8 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00300A08 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 003003FC .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00300804 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 003001F8 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] USER32.dll!SetWindowsHookExA 75A46D0C 3 Bytes JMP 00300600 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3416] USER32.dll!SetWindowsHookExA + 4 75A46D10 1 Byte [8A] .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] ntdll.dll!LdrUnloadDll 7753C8DE 5 Bytes JMP 001603FC .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] ntdll.dll!LdrLoadDll 775422B8 5 Bytes JMP 001601F8 .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] kernel32.dll!GetBinaryTypeW + 70 75C069F4 1 Byte [62] .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] USER32.dll!UnhookWindowsHookEx 75A1ADF9 5 Bytes JMP 00210A08 .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] USER32.dll!UnhookWinEvent 75A1B750 5 Bytes JMP 002103FC .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] USER32.dll!SetWindowsHookExW 75A1E30C 5 Bytes JMP 00210804 .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] USER32.dll!SetWinEventHook 75A224DC 5 Bytes JMP 002101F8 .text C:\Users\Przemek\Desktop\pqp7tl1z.exe[3752] USER32.dll!SetWindowsHookExA 75A46D0C 5 Bytes JMP 00210600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741F2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741D5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741D56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [741F24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741E8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741E4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741E506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741E5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [741E6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741E826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741E87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741E901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741EE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[312] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [741E4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1188] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1188] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1188] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1188] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1188] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\StartAutorun.exe[2644] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Trust\GXT14 Mouse\RapooV1Process.exe[2652] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[2864] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[2864] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[2864] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Launchy\Launchy.exe[2864] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7558FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\ACPI_HAL \Device\0000007c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xED 0x42 0xB0 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x10 0xAC 0x26 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8A 0x08 0x70 0xC3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x72 0xA4 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time-b.nist.gov,7b936da??????????? Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xED 0x42 0xB0 0xD2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x10 0xAC 0x26 0xE2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8A 0x08 0x70 0xC3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x72 0xA4 0x2B ... Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time-b.nist.gov,7b936da??????????? Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 ---- EOF - GMER 1.0.15 ----