GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-02 14:01:32 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Scsi\SI31121Port2Path0Target0Lun0 TOSHIBA_ rev.AH00 Running: yqp7419c.exe; Driver: C:\Users\ADMIN\AppData\Local\Temp\uwddakob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8A646DF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8CFB0A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8A64785E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8A64C2E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8A64C330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8A64C422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8A64C252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8A64C374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8A64C29A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8A64C3DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8A646E44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8CFB0B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8A646AD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8A646E90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8A649D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8A647B02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8A64C30E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8A64C352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8A64C446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8A64C278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8A64C3AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8A64C2C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8A64C400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8CFB0CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8A6479CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8A646EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8A646F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8A646B46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8A646CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8A646C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8A646D5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8CFB0D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8A646F74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8CFB0BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8CFC6D92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A553C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8ED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A95D80 4 Bytes [F8, 6D, 64, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A95DA8 4 Bytes [5A, 0A, FB, 8C] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A95E08 4 Bytes [5E, 78, 64, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A95E5C 8 Bytes [E4, C2, 64, 8A, 30, C3, 64, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A95E68 4 Bytes [22, C4, 64, 8A] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C22C64 5 Bytes JMP 8CFC3C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82C3B290 5 Bytes JMP 8CFC5764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C503D7 4 Bytes CALL 8A6481B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C6A1E0 4 Bytes CALL 8A6481CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CF411A 7 Bytes JMP 8CFC6D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A9043000 249 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 508A A90430FA 40 Bytes [A9, 53, 8B, D0, 8B, D9, F0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A9043123 7 Bytes [E5, 03, A9, FE, 05, 34, E5] {IN EAX, 0x3; TEST EAX, 0xe53405fe} PAGE spsys.sys!?SPRevision@@3PADA + 50BB A904312B 621 Bytes [A9, EB, 18, 83, C9, FF, F0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 A9043399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE ... .text user32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes [E9, 0A, 5C, 63, 8A] {JMP 0xffffffff8a635c0f} .text user32.dll!UnhookWinEvent 75B6B750 5 Bytes [E9, A7, 4C, 63, 8A] {JMP 0xffffffff8a634cac} .text user32.dll!SetWindowsHookExW 75B6E30C 5 Bytes [E9, F3, 24, 63, 8A] {JMP 0xffffffff8a6324f8} .text user32.dll!SetWinEventHook 75B724DC 5 Bytes [E9, 17, DD, 62, 8A] {JMP 0xffffffff8a62dd1c} .text user32.dll!SetWindowsHookExA 75B96D0C 5 Bytes [E9, EF, 98, 60, 8A] {JMP 0xffffffff8a6098f4} .text kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\svchost.exe[368] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[384] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001603FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001601F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00310A08 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 003103FC .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00310804 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 003101F8 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[400] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00310600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[444] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\csrss.exe[448] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[456] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[456] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[456] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[456] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00050A08 .text C:\Windows\system32\wininit.exe[456] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000503FC .text C:\Windows\system32\wininit.exe[456] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00050804 .text C:\Windows\system32\wininit.exe[456] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000501F8 .text C:\Windows\system32\wininit.exe[456] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00050600 .text C:\Windows\system32\winlogon.exe[492] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[492] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[492] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[492] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[492] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[492] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[492] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[492] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\services.exe[552] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[552] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[552] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[560] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[560] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[560] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[560] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\lsass.exe[560] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001E03FC .text C:\Windows\system32\lsass.exe[560] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\lsass.exe[560] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\lsass.exe[560] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001E0600 .text C:\Windows\system32\lsm.exe[572] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[572] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[572] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[660] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[660] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[660] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\WindowsMobile\wmdc.exe[676] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\WindowsMobile\wmdc.exe[676] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\WindowsMobile\wmdc.exe[676] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\WindowsMobile\wmdc.exe[676] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00090A08 .text C:\Windows\WindowsMobile\wmdc.exe[676] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000903FC .text C:\Windows\WindowsMobile\wmdc.exe[676] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00090804 .text C:\Windows\WindowsMobile\wmdc.exe[676] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000901F8 .text C:\Windows\WindowsMobile\wmdc.exe[676] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\svchost.exe[752] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[752] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[812] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001503FC .text C:\Windows\system32\Ati2evxx.exe[812] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001501F8 .text C:\Windows\system32\Ati2evxx.exe[812] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[812] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\Ati2evxx.exe[812] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001E03FC .text C:\Windows\system32\Ati2evxx.exe[812] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\Ati2evxx.exe[812] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\Ati2evxx.exe[812] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001E0600 .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000F03FC .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 000F0804 .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000F01F8 .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[828] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[832] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00210600 .text C:\Windows\System32\svchost.exe[872] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[872] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[872] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\svchost.exe[872] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001403FC .text C:\Windows\System32\svchost.exe[872] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\svchost.exe[872] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\svchost.exe[872] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00140600 .text C:\Windows\System32\svchost.exe[908] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[908] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[908] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[908] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00550A08 .text C:\Windows\System32\svchost.exe[908] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 005503FC .text C:\Windows\System32\svchost.exe[908] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00550804 .text C:\Windows\System32\svchost.exe[908] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 005501F8 .text C:\Windows\System32\svchost.exe[908] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00550600 .text C:\Windows\system32\svchost.exe[936] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[936] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[936] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00570A08 .text C:\Windows\system32\svchost.exe[936] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 005703FC .text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00570804 .text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 005701F8 .text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00570600 .text C:\Windows\system32\AUDIODG.EXE[1012] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1084] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1084] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1084] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00370A08 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 003703FC .text C:\Windows\system32\svchost.exe[1084] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00370804 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 003701F8 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00370600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1168] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1192] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1192] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1192] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001603FC .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001601F8 .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001F03FC .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001F0804 .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001F01F8 .text C:\Program Files\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe[1272] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\Ati2evxx.exe[1276] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001503FC .text C:\Windows\system32\Ati2evxx.exe[1276] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001501F8 .text C:\Windows\system32\Ati2evxx.exe[1276] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[1276] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\Ati2evxx.exe[1276] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001E03FC .text C:\Windows\system32\Ati2evxx.exe[1276] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\Ati2evxx.exe[1276] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\Ati2evxx.exe[1276] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001E0600 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000503FC .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000501F8 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] kernel32.dll!SetUnhandledExceptionFilter 75ACF4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001F03FC .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1300] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001F0600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] kernel32.dll!SetUnhandledExceptionFilter 75ACF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1492] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[1492] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[1492] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1492] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[1492] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[1492] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[1492] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[1492] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 000F0600 .text C:\Windows\Explorer.EXE[1516] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[1516] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[1516] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\Explorer.EXE[1516] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00110A08 .text C:\Windows\Explorer.EXE[1516] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001103FC .text C:\Windows\Explorer.EXE[1516] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00110804 .text C:\Windows\Explorer.EXE[1516] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001101F8 .text C:\Windows\Explorer.EXE[1516] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00110600 .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00110A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001103FC .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00110804 .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001101F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1548] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00110600 .text C:\Windows\System32\spoolsv.exe[1688] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1688] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1688] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1688] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00090A08 .text C:\Windows\System32\spoolsv.exe[1688] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000903FC .text C:\Windows\System32\spoolsv.exe[1688] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00090804 .text C:\Windows\System32\spoolsv.exe[1688] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000901F8 .text C:\Windows\System32\spoolsv.exe[1688] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\svchost.exe[1720] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1720] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1720] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1720] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 002E0A08 .text C:\Windows\system32\svchost.exe[1720] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 002E03FC .text C:\Windows\system32\svchost.exe[1720] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 002E0804 .text C:\Windows\system32\svchost.exe[1720] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 002E01F8 .text C:\Windows\system32\svchost.exe[1720] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 002E0600 .text C:\Windows\System32\svchost.exe[1772] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1772] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1772] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1772] user32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00360A08 .text C:\Windows\System32\svchost.exe[1772] user32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 003603FC .text C:\Windows\System32\svchost.exe[1772] user32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00360804 .text C:\Windows\System32\svchost.exe[1772] user32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 003601F8 .text C:\Windows\System32\svchost.exe[1772] user32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00360600 .text C:\Windows\system32\taskhost.exe[1784] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[1784] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[1784] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1784] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\taskhost.exe[1784] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001E03FC .text C:\Windows\system32\taskhost.exe[1784] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\taskhost.exe[1784] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\taskhost.exe[1784] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001E0600 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001503FC .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001501F8 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001E0A08 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001E03FC .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001E0804 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001E01F8 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1880] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001E0600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00100600 .text C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe[1936] KERNEL32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\DreamMail4\DM2005.exe[2092] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001603FC .text C:\Program Files\DreamMail4\DM2005.exe[2092] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001601F8 .text C:\Program Files\DreamMail4\DM2005.exe[2092] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\DreamMail4\DM2005.exe[2092] user32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\DreamMail4\DM2005.exe[2092] user32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001F03FC .text C:\Program Files\DreamMail4\DM2005.exe[2092] user32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001F0804 .text C:\Program Files\DreamMail4\DM2005.exe[2092] user32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001F01F8 .text C:\Program Files\DreamMail4\DM2005.exe[2092] user32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\svchost.exe[2152] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2152] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2152] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text D:\Pobieranie\yqp7419c.exe[2428] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001603FC .text D:\Pobieranie\yqp7419c.exe[2428] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001601F8 .text D:\Pobieranie\yqp7419c.exe[2428] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text D:\Pobieranie\yqp7419c.exe[2428] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 001A0A08 .text D:\Pobieranie\yqp7419c.exe[2428] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001A03FC .text D:\Pobieranie\yqp7419c.exe[2428] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 001A0804 .text D:\Pobieranie\yqp7419c.exe[2428] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001A01F8 .text D:\Pobieranie\yqp7419c.exe[2428] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 001A0600 .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 001503FC .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 001501F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00180A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001803FC .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00180804 .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001801F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[2496] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00180600 .text C:\Windows\system32\sppsvc.exe[2956] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000703FC .text C:\Windows\system32\sppsvc.exe[2956] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\sppsvc.exe[2956] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[2956] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00250A08 .text C:\Windows\system32\sppsvc.exe[2956] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 002503FC .text C:\Windows\system32\sppsvc.exe[2956] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00250804 .text C:\Windows\system32\sppsvc.exe[2956] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 002501F8 .text C:\Windows\system32\sppsvc.exe[2956] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00250600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 61140C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75AC93D6 7 Bytes JMP 61377B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] kernel32.dll!QueryPerformanceCounter + 13 75ACC435 7 Bytes JMP 61377B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] kernel32.dll!LoadAppInitDlls + 355 75ACF4F6 7 Bytes JMP 61143FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3160] GDI32.dll!GetViewportOrgEx + 26C 7612884B 7 Bytes JMP 61377AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\SearchIndexer.exe[3864] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3864] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3864] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3864] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00090A08 .text C:\Windows\system32\SearchIndexer.exe[3864] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 000903FC .text C:\Windows\system32\SearchIndexer.exe[3864] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00090804 .text C:\Windows\system32\SearchIndexer.exe[3864] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 000901F8 .text C:\Windows\system32\SearchIndexer.exe[3864] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\wuauclt.exe[3920] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000B03FC .text C:\Windows\system32\wuauclt.exe[3920] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000B01F8 .text C:\Windows\system32\wuauclt.exe[3920] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[3920] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\wuauclt.exe[3920] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001403FC .text C:\Windows\system32\wuauclt.exe[3920] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\wuauclt.exe[3920] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\wuauclt.exe[3920] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\wbem\wmiprvse.exe[3952] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\wbem\wmiprvse.exe[3952] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3952] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3952] USER32.dll!UnhookWindowsHookEx 75B6ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\wbem\wmiprvse.exe[3952] USER32.dll!UnhookWinEvent 75B6B750 5 Bytes JMP 001403FC .text C:\Windows\system32\wbem\wmiprvse.exe[3952] USER32.dll!SetWindowsHookExW 75B6E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\wbem\wmiprvse.exe[3952] USER32.dll!SetWinEventHook 75B724DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\wbem\wmiprvse.exe[3952] USER32.dll!SetWindowsHookExA 75B96D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\svchost.exe[4076] ntdll.dll!LdrUnloadDll 7752C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[4076] ntdll.dll!LdrLoadDll 7753223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[4076] kernel32.dll!GetBinaryTypeW + 70 75AE69F4 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[1168] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7177F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7177F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741124CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740F562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740F56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74112546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741085AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74104D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74105105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741051DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74106707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74108301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74108850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741090B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7410E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1516] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74104C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@001a7d00bca6 0x9D 0xA0 0xDD 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@0024ef3fd452 0x56 0x5C 0x35 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@44f459aa3382 0x66 0xEF 0x65 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@ac932f7de895 0x78 0x31 0xEF 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@a8f2742fb992 0xF4 0x38 0x84 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@0cdfa44d0e44 0x19 0x51 0x40 0x69 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@001a7d00bca6 0x9D 0xA0 0xDD 0x05 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@0024ef3fd452 0x56 0x5C 0x35 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@44f459aa3382 0x66 0xEF 0x65 0x30 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@ac932f7de895 0x78 0x31 0xEF 0x4C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@a8f2742fb992 0xF4 0x38 0x84 0x96 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@0cdfa44d0e44 0x19 0x51 0x40 0x69 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\ŁUKASZ-KOMPUTER\Printers\{1812F321-A379-4CEF-B964-9CACC9A7EE27}\HPWarningMsg\CheckStatus@A\1u\0k\0a\0s\0z 0 ---- EOF - GMER 1.0.15 ----