GMER 2.0.18437 - http://www.gmer.net Rootkit scan 2013-01-06 20:36:48 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4 ST3500320AS rev.SD15 465,76GB Running: qks7cs01.exe; Driver: C:\Users\dom\AppData\Local\Temp\pxtiqpow.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8E0394BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91EC3C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8E039ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8E044FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8E044FF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8E045176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8E044F16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x91EC3FA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8E044F5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8E03A11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8E03A2F4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8E045130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8E03A93E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8E039508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91EC3CEA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x91EC23EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8E039556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8E03E534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8E03B3A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8E044FD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8E045016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8E04519A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8E044F3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8E0450BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8E044F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8E045154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91EC3E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8E03B272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8E03AF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8E0395A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8E0395F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8E03A7BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8E0391FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8E0393AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8E039350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8E03AAF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8E03AC54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8E03941A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x91EC3EFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8E03A636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x91EC241C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8E039640] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x91EC3D96] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91EDCE56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 83499599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834BE092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 834C5864 4 Bytes [BA, 94, 03, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 834C588C 4 Bytes [22, 3C, EC, 91] {AND BH, [ESP+EBP*8]; XCHG ECX, EAX} .text ntkrnlpa.exe!RtlSidHashLookup + 29C 834C58EC 4 Bytes [D6, 9E, 03, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 834C5940 8 Bytes [A8, 4F, 04, 8E, F4, 4F, 04, ...] {TEST AL, 0x4f; ADD AL, 0x8e; HLT ; DEC EDI; ADD AL, 0x8e} .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 834C594C 4 Bytes [76, 51, 04, 8E] {JBE 0x53; ADD AL, 0x8e} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8365F3BE 5 Bytes JMP 91ED9CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 836790CD 5 Bytes JMP 91EDB828 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 836C3762 4 Bytes CALL 8E03BA8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 836CB873 4 Bytes CALL 8E03BAA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 837314DE 7 Bytes JMP 91EDCE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94602000, 0x388539, 0xE8000020] .text USBPORT.SYS!DllUnload 94394CB8 1 Byte [00] .text win32k.sys!EngMultiByteToUnicodeN + 7220 9D339869 5 Bytes JMP 8E03EEB8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwned + 8A1B 9D3508B4 5 Bytes JMP 8E03EFFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwned + 8B72 9D350A0B 5 Bytes JMP 8E03ECDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEraseSurface + 7E89 9D36DC81 5 Bytes JMP 8E03F0C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEraseSurface + C174 9D371F6C 5 Bytes JMP 8E03FCB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 1C30 9D38478D 5 Bytes JMP 8E03F182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 3330 9D385E8D 5 Bytes JMP 8E03E7C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 4035 9D386B92 5 Bytes JMP 8E03FA86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 6CB 9D38B676 5 Bytes JMP 8E03F090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 18AB 9D38C856 5 Bytes JMP 8E03EEE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAllocMem + 8FAF 9D397875 5 Bytes JMP 8E03F0A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 79B7 9D3A8DC0 5 Bytes JMP 8E03E834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 869E 9D3A9AA7 5 Bytes JMP 8E03E670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 928E 9D3AA697 5 Bytes JMP 8E03EC1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateSemaphore + A659 9D3C551D 5 Bytes JMP 8E03F94C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateSemaphore + CA0E 9D3C78D2 5 Bytes JMP 8E03E56A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 56E 9D3D0F4D 5 Bytes JMP 8E03F9F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 5230 9D3D5C0F 5 Bytes JMP 8E03FEBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 6119 9D3E8F4A 5 Bytes JMP 8E03E688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 11685 9D3F44B6 5 Bytes JMP 8E03FA3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 1AEC6 9D3FDCF7 5 Bytes JMP 8E0418D4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!STROBJ_bEnum + 99C0 9D41142C 5 Bytes JMP 8E03EB48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 26C1 9D41950A 2 Bytes JMP 8E03FD74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 26C4 9D41950D 2 Bytes [C2, F0] .text win32k.sys!PATHOBJ_bPolyBezierTo + F8 9D42CF90 5 Bytes JMP 8E03EA1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAcquireSemaphoreSharedNoWait + 1F5A 9D43D2F5 5 Bytes JMP 8E03FE1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + EB5 9D4671DF 5 Bytes JMP 8E03E8F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetCurrentGamma + 1C88 9D46B20A 5 Bytes JMP 8E03E944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetPointerShape + B31 9D46DD6B 5 Bytes JMP 8E03F16A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetPointerShape + C86 9D46DEC0 5 Bytes JMP 8E03FBFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_cEnumStart + 6DCE 9D476C85 5 Bytes JMP 8E03E760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_cEnumStart + A4CD 9D47A384 5 Bytes JMP 8E03EAB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A4B52000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A4B52123 486 Bytes [D5, B4, A4, FE, 05, 34, D5, ...] PAGE spsys.sys!?SPRevision@@3PADA + 529A A4B5230A 142 Bytes [B4, A4, 3B, 08, 77, 04, 3B, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 A4B52399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F A4B523FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE ... .text user32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes [E9, 88, 3D, A7, 8A] {JMP 0x8aa73d8d} .text user32.dll!UnhookWinEvent 7571D924 5 Bytes [E9, D3, 2A, A7, 8A] {JMP 0x8aa72ad8} .text user32.dll!SetWindowsHookExW 7572210A 5 Bytes [E9, F5, E6, A6, 8A] {JMP 0x8aa6e6fa} .text user32.dll!SetWinEventHook 7572507E 5 Bytes [E9, 75, B1, A6, 8A] {JMP 0x8aa6b17a} .text user32.dll!SetWindowsHookExA 75746DFA 5 Bytes [E9, 01, 98, A4, 8A] {JMP 0x8aa49806} .text sechost.dll!SetServiceObjectSecurity 756F5181 5 Bytes [E9, 8E, BE, A8, 8A] {JMP 0x8aa8be93} .text sechost.dll!ChangeServiceConfigA 756F5254 5 Bytes [E9, AB, B5, A8, 8A] {JMP 0x8aa8b5b0} .text sechost.dll!ChangeServiceConfigW 756F53D5 5 Bytes [E9, 2E, B6, A8, 8A] {JMP 0x8aa8b633} .text sechost.dll!ChangeServiceConfig2A 756F54C2 5 Bytes [E9, 45, B7, A8, 8A] {JMP 0x8aa8b74a} .text sechost.dll!ChangeServiceConfig2W 756F55E2 5 Bytes [E9, 29, B8, A8, 8A] {JMP 0x8aa8b82e} .text sechost.dll!CreateServiceA 756F567C 5 Bytes [E9, 77, AB, A8, 8A] {JMP 0x8aa8ab7c} .text sechost.dll!CreateServiceW 756F589F 5 Bytes [E9, 58, AB, A8, 8A] {JMP 0x8aa8ab5d} .text sechost.dll!DeleteService 756F5A22 5 Bytes [E9, D9, AB, A8, 8A] {JMP 0x8aa8abde} .text kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\SearchProtocolHost.exe[372] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000D03FC .text C:\Windows\system32\SearchProtocolHost.exe[372] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000D01F8 .text C:\Windows\system32\SearchProtocolHost.exe[372] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[372] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 000F0A08 .text C:\Windows\system32\SearchProtocolHost.exe[372] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 000F03FC .text C:\Windows\system32\SearchProtocolHost.exe[372] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 000F0804 .text C:\Windows\system32\SearchProtocolHost.exe[372] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 000F01F8 .text C:\Windows\system32\SearchProtocolHost.exe[372] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 000F0600 .text C:\Windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\wininit.exe[524] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\csrss.exe[532] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\services.exe[580] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\lsass.exe[588] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text ... .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001E03FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001E01F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 002103FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00210804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 002101F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1136] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00210600 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1224] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1360] kernel32.dll!SetUnhandledExceptionFilter 756630E2 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1360] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1672] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1740] kernel32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text ... .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000803FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000801F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00090A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 000903FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00090804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 000901F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00090600 .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] user32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00110A08 .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] user32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001103FC .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] user32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00110804 .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] user32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001101F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe[2284] user32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00110600 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001E03FC .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001E01F8 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 002103FC .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00210804 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 002101F8 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[2368] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00210600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001F03FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001F01F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2432] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00210600 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001E03FC .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001E01F8 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001F03FC .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 001F0804 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001F01F8 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2476] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 001F0600 .text C:\Windows\system32\svchost.exe[2540] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Windows\system32\svchost.exe[2540] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Windows\system32\svchost.exe[2540] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[2540] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00100A08 .text C:\Windows\system32\svchost.exe[2540] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001003FC .text C:\Windows\system32\svchost.exe[2540] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00100804 .text C:\Windows\system32\svchost.exe[2540] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001001F8 .text C:\Windows\system32\svchost.exe[2540] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001E03FC .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001E01F8 .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001F03FC .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 001F0804 .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001F01F8 .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2648] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 001F0600 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00110A08 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001103FC .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00110804 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001101F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2656] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00110600 .text C:\Windows\system32\SearchIndexer.exe[2876] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[2876] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[2876] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2876] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00090A08 .text C:\Windows\system32\SearchIndexer.exe[2876] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 000903FC .text C:\Windows\system32\SearchIndexer.exe[2876] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00090804 .text C:\Windows\system32\SearchIndexer.exe[2876] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 000901F8 .text C:\Windows\system32\SearchIndexer.exe[2876] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00090600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3224] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00100600 .text C:\Windows\system32\AUDIODG.EXE[3312] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Windows\system32\AUDIODG.EXE[3312] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Windows\system32\AUDIODG.EXE[3312] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[3312] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00100A08 .text C:\Windows\system32\AUDIODG.EXE[3312] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001003FC .text C:\Windows\system32\AUDIODG.EXE[3312] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00100804 .text C:\Windows\system32\AUDIODG.EXE[3312] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001001F8 .text C:\Windows\system32\AUDIODG.EXE[3312] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00100600 .text C:\Windows\System32\svchost.exe[3512] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001203FC .text C:\Windows\System32\svchost.exe[3512] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001201F8 .text C:\Windows\System32\svchost.exe[3512] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\System32\svchost.exe[3512] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00140A08 .text C:\Windows\System32\svchost.exe[3512] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001403FC .text C:\Windows\System32\svchost.exe[3512] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00140804 .text C:\Windows\System32\svchost.exe[3512] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001401F8 .text C:\Windows\System32\svchost.exe[3512] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00140600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 002203FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] ntdll.dll!LdrLoadDll 76FAF425 4 Bytes JMP 63B94470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 16F 7565C057 7 Bytes JMP 63DE0459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] KERNEL32.dll!CloseHandle + 38 7566058F 7 Bytes JMP 63DE047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] KERNEL32.dll!GetExitCodeProcess + 2C 756630DD 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] KERNEL32.dll!GetExitCodeProcess + 2C 756630DD 7 Bytes JMP 63B9F972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00230A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 002303FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00230804 .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 002301F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00230600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3536] GDI32.dll!GetViewportOrgEx + 21C 759685EB 7 Bytes JMP 63DE03DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\svchost.exe[3568] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Windows\system32\svchost.exe[3568] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Windows\system32\svchost.exe[3568] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\svchost.exe[3568] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00100A08 .text C:\Windows\system32\svchost.exe[3568] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001003FC .text C:\Windows\system32\svchost.exe[3568] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00100804 .text C:\Windows\system32\svchost.exe[3568] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001001F8 .text C:\Windows\system32\svchost.exe[3568] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00100600 .text C:\Windows\System32\svchost.exe[4028] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[4028] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[4028] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\System32\svchost.exe[4028] user32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00090A08 .text C:\Windows\System32\svchost.exe[4028] user32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 000903FC .text C:\Windows\System32\svchost.exe[4028] user32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00090804 .text C:\Windows\System32\svchost.exe[4028] user32.dll!SetWinEventHook 7572507E 5 Bytes JMP 000901F8 .text C:\Windows\System32\svchost.exe[4028] user32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00090600 .text C:\Users\dom\Downloads\qks7cs01.exe[4252] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 001703FC .text C:\Users\dom\Downloads\qks7cs01.exe[4252] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 001701F8 .text C:\Users\dom\Downloads\qks7cs01.exe[4252] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Users\dom\Downloads\qks7cs01.exe[4252] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00190A08 .text C:\Users\dom\Downloads\qks7cs01.exe[4252] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001903FC .text C:\Users\dom\Downloads\qks7cs01.exe[4252] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00190804 .text C:\Users\dom\Downloads\qks7cs01.exe[4252] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001901F8 .text C:\Users\dom\Downloads\qks7cs01.exe[4252] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00190600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000E03FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000E01F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001003FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00100804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001001F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[4940] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00100600 .text C:\Windows\system32\sppsvc.exe[5404] ntdll.dll!LdrUnloadDll 76FABD1F 5 Bytes JMP 000F03FC .text C:\Windows\system32\sppsvc.exe[5404] ntdll.dll!LdrLoadDll 76FAF425 5 Bytes JMP 000F01F8 .text C:\Windows\system32\sppsvc.exe[5404] KERNEL32.dll!GetBinaryTypeW + 70 756778FC 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[5404] USER32.dll!UnhookWindowsHookEx 7571CC7B 5 Bytes JMP 00120A08 .text C:\Windows\system32\sppsvc.exe[5404] USER32.dll!UnhookWinEvent 7571D924 5 Bytes JMP 001203FC .text C:\Windows\system32\sppsvc.exe[5404] USER32.dll!SetWindowsHookExW 7572210A 5 Bytes JMP 00120804 .text C:\Windows\system32\sppsvc.exe[5404] USER32.dll!SetWinEventHook 7572507E 5 Bytes JMP 001201F8 .text C:\Windows\system32\sppsvc.exe[5404] USER32.dll!SetWindowsHookExA 75746DFA 5 Bytes JMP 00120600 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1020] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [733FF6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1360] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [733FF6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- EOF - GMER 2.0 ----