GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-05 15:15:39 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 Running: qhiifbmt.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kfrdapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8E540DF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91534A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8E54185E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8E5462E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8E546330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8E546422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8E546252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8E546374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8E54629A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8E5463DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8E540E44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91534B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8E540AD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8E540E90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8E543D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8E541B02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8E54630E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8E546352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8E546446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8E546278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8E5463AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8E5462C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8E546400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91534CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8E5419CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8E540EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8E540F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8E540B46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8E540CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8E540C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8E540D5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x91534D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8E540F74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x91534BE0] INT 0x52 ? 95E00CD8 INT 0x61 ? 95E002D8 INT 0x71 ? 95E00058 INT 0xA2 ? 95E007D8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9154AD92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82E8E359 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC7D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82ECEDA0 4 Bytes [F8, 0D, 54, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82ECEDC8 4 Bytes [5A, 4A, 53, 91] {POP EDX; DEC EDX; PUSH EBX; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82ECEE28 4 Bytes [5E, 18, 54, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82ECEE7C 4 Bytes [E4, 62, 54, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11AC 82ECEE81 3 Bytes [63, 54, 8E] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8305BC64 5 Bytes JMP 91547C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 83074290 5 Bytes JMP 91549764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 830893D7 4 Bytes CALL 8E5421B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 830A31E0 4 Bytes CALL 8E5421CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8312D0F6 7 Bytes JMP 9154AD96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x8E2D5400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x8E379620] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x8E379620] .protect˙˙˙˙hardlockunknown last code section [0x8E379400, 0x5126, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x8E379400, 0x5126, 0xE0000020] .text user32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes [E9, 88, 3D, 5A, 89] {JMP 0xffffffff895a3d8d} .text user32.dll!UnhookWinEvent 76D7D924 5 Bytes [E9, D3, 2A, 5A, 89] {JMP 0xffffffff895a2ad8} .text user32.dll!SetWindowsHookExW 76D8210A 5 Bytes [E9, F5, E6, 59, 89] {JMP 0xffffffff8959e6fa} .text user32.dll!SetWinEventHook 76D8507E 5 Bytes [E9, 75, B1, 59, 89] {JMP 0xffffffff8959b17a} .text user32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes [E9, 01, 98, 57, 89] {JMP 0xffffffff89579806} .text kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text ws2_32.dll!getsockname 756330AF 5 Bytes [E9, D9, CF, D4, 8A] {JMP 0xffffffff8ad4cfde} .text ws2_32.dll!connect 75636BDD 5 Bytes [E9, 4B, 94, D4, 8A] {JMP 0xffffffff8ad49450} .text ws2_32.dll!getpeername 75637147 5 Bytes [E9, 71, 8F, D4, 8A] {JMP 0xffffffff8ad48f76} .text ws2_32.dll!WSAConnect 7563CC3F 5 Bytes [E9, 19, 34, D4, 8A] {JMP 0xffffffff8ad4341e} ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\csrss.exe[476] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[532] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[532] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[532] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[532] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[532] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[532] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[532] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[532] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 000F0600 .text C:\Windows\system32\Dwm.exe[532] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 0051008D .text C:\Windows\system32\Dwm.exe[532] ws2_32.dll!connect 75636BDD 5 Bytes JMP 0051002D .text C:\Windows\system32\Dwm.exe[532] ws2_32.dll!getpeername 75637147 5 Bytes JMP 005100BD .text C:\Windows\system32\Dwm.exe[532] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0051005D .text C:\Windows\system32\wininit.exe[536] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[536] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[536] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[536] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wininit.exe[536] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 000C03FC .text C:\Windows\system32\wininit.exe[536] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 000C0804 .text C:\Windows\system32\wininit.exe[536] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wininit.exe[536] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 000C0600 .text C:\Windows\system32\csrss.exe[548] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\services.exe[596] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[596] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[596] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[620] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsass.exe[620] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsass.exe[620] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[620] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00050A08 .text C:\Windows\system32\lsass.exe[620] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 000503FC .text C:\Windows\system32\lsass.exe[620] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00050804 .text C:\Windows\system32\lsass.exe[620] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 000501F8 .text C:\Windows\system32\lsass.exe[620] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00050600 .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[632] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[648] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[648] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[648] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[648] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00050A08 .text C:\Windows\system32\winlogon.exe[648] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 000503FC .text C:\Windows\system32\winlogon.exe[648] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00050804 .text C:\Windows\system32\winlogon.exe[648] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 000501F8 .text C:\Windows\system32\winlogon.exe[648] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00050600 .text C:\Windows\system32\svchost.exe[756] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[756] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[844] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[844] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 003F0A08 .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 003F03FC .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 003F0804 .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 003F01F8 .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 003F0600 .text C:\Windows\System32\svchost.exe[980] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[980] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[980] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 001C0A08 .text C:\Windows\System32\svchost.exe[980] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001C03FC .text C:\Windows\System32\svchost.exe[980] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 001C0804 .text C:\Windows\System32\svchost.exe[980] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001C01F8 .text C:\Windows\System32\svchost.exe[980] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 001C0600 .text C:\Windows\System32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[984] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00940A08 .text C:\Windows\System32\svchost.exe[984] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 009403FC .text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00940804 .text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 009401F8 .text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00940600 .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00F10A08 .text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 00F103FC .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00F10804 .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 00F101F8 .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00F10600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1084] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00140600 .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1156] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 004C0A08 .text C:\Windows\system32\svchost.exe[1156] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 004C03FC .text C:\Windows\system32\svchost.exe[1156] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 004C0804 .text C:\Windows\system32\svchost.exe[1156] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 004C01F8 .text C:\Windows\system32\svchost.exe[1156] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 004C0600 .text C:\Windows\system32\svchost.exe[1288] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1288] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1288] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1288] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 01150A08 .text C:\Windows\system32\svchost.exe[1288] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 011503FC .text C:\Windows\system32\svchost.exe[1288] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 01150804 .text C:\Windows\system32\svchost.exe[1288] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 011501F8 .text C:\Windows\system32\svchost.exe[1288] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 01150600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1368] kernel32.dll!SetUnhandledExceptionFilter 759EF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1368] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1440] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000B03FC .text C:\Windows\System32\spoolsv.exe[1440] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000B01F8 .text C:\Windows\System32\spoolsv.exe[1440] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1440] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00150A08 .text C:\Windows\System32\spoolsv.exe[1440] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001503FC .text C:\Windows\System32\spoolsv.exe[1440] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00150804 .text C:\Windows\System32\spoolsv.exe[1440] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001501F8 .text C:\Windows\System32\spoolsv.exe[1440] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00150600 .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1468] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00150A08 .text C:\Windows\system32\svchost.exe[1468] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001503FC .text C:\Windows\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00150804 .text C:\Windows\system32\svchost.exe[1468] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001501F8 .text C:\Windows\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00150600 .text C:\Windows\system32\taskhost.exe[1744] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[1744] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[1744] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1744] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00120A08 .text C:\Windows\system32\taskhost.exe[1744] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001203FC .text C:\Windows\system32\taskhost.exe[1744] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00120804 .text C:\Windows\system32\taskhost.exe[1744] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001201F8 .text C:\Windows\system32\taskhost.exe[1744] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00120600 .text C:\Windows\system32\taskhost.exe[1744] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 0097008D .text C:\Windows\system32\taskhost.exe[1744] ws2_32.dll!connect 75636BDD 5 Bytes JMP 0097002D .text C:\Windows\system32\taskhost.exe[1744] ws2_32.dll!getpeername 75637147 5 Bytes JMP 009700BD .text C:\Windows\system32\taskhost.exe[1744] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0097005D .text C:\Windows\Explorer.EXE[1808] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[1808] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[1808] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\Explorer.EXE[1808] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00110A08 .text C:\Windows\Explorer.EXE[1808] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001103FC .text C:\Windows\Explorer.EXE[1808] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00110804 .text C:\Windows\Explorer.EXE[1808] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001101F8 .text C:\Windows\Explorer.EXE[1808] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00110600 .text C:\Windows\Explorer.EXE[1808] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 02F3008D .text C:\Windows\Explorer.EXE[1808] ws2_32.dll!connect 75636BDD 5 Bytes JMP 02F3002D .text C:\Windows\Explorer.EXE[1808] ws2_32.dll!getpeername 75637147 5 Bytes JMP 02F300BD .text C:\Windows\Explorer.EXE[1808] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 02F3005D .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00210A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 002103FC .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00210804 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 002101F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1832] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00210600 .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1864] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1864] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00920A08 .text C:\Windows\system32\svchost.exe[1864] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 009203FC .text C:\Windows\system32\svchost.exe[1864] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00920804 .text C:\Windows\system32\svchost.exe[1864] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 009201F8 .text C:\Windows\system32\svchost.exe[1864] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00920600 .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00200A08 .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 002003FC .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00200804 .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 002001F8 .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1932] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00200600 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2400] KERNEL32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2424] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[2424] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[2424] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[2604] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[2604] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[2604] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[2604] user32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00400A08 .text C:\Windows\System32\svchost.exe[2604] user32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 004003FC .text C:\Windows\System32\svchost.exe[2604] user32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00400804 .text C:\Windows\System32\svchost.exe[2604] user32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 004001F8 .text C:\Windows\System32\svchost.exe[2604] user32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00400600 .text C:\Windows\system32\svchost.exe[2632] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2632] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2632] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2632] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 001B0A08 .text C:\Windows\system32\svchost.exe[2632] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001B03FC .text C:\Windows\system32\svchost.exe[2632] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 001B0804 .text C:\Windows\system32\svchost.exe[2632] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001B01F8 .text C:\Windows\system32\svchost.exe[2632] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 001B0600 .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00180A08 .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001803FC .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00180804 .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001801F8 .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00180600 .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 01AD008D .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] ws2_32.dll!connect 75636BDD 5 Bytes JMP 01AD002D .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] ws2_32.dll!getpeername 75637147 5 Bytes JMP 01AD00BD .text C:\Program Files\CONEXANT\SmartAudio\SmAudio.exe[2656] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 01AD005D .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2732] KERNEL32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2732] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 0154008D .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2732] ws2_32.dll!connect 75636BDD 5 Bytes JMP 0154002D .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2732] ws2_32.dll!getpeername 75637147 5 Bytes JMP 015400BD .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2732] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0154005D .text C:\Windows\System32\svchost.exe[2756] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[2756] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[2756] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] user32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] user32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001F03FC .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] user32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 001F0804 .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] user32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001F01F8 .text C:\Program Files\Ad Muncher\AdMunch.exe[2768] user32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 001F0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00200A08 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 002003FC .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00200804 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 002001F8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00200600 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] WS2_32.dll!getsockname 756330AF 5 Bytes JMP 0038008D .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] WS2_32.dll!connect 75636BDD 5 Bytes JMP 0038002D .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] WS2_32.dll!getpeername 75637147 5 Bytes JMP 003800BD .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[2800] WS2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0038005D .text C:\Windows\system32\WUDFHost.exe[2804] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\WUDFHost.exe[2804] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\WUDFHost.exe[2804] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[2804] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00100A08 .text C:\Windows\system32\WUDFHost.exe[2804] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001003FC .text C:\Windows\system32\WUDFHost.exe[2804] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00100804 .text C:\Windows\system32\WUDFHost.exe[2804] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001001F8 .text C:\Windows\system32\WUDFHost.exe[2804] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00100600 .text C:\Program Files\RocketDock\RocketDock.exe[2880] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\RocketDock\RocketDock.exe[2880] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\RocketDock\RocketDock.exe[2880] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\RocketDock\RocketDock.exe[2880] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 001F0A08 .text C:\Program Files\RocketDock\RocketDock.exe[2880] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001F03FC .text C:\Program Files\RocketDock\RocketDock.exe[2880] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 001F0804 .text C:\Program Files\RocketDock\RocketDock.exe[2880] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001F01F8 .text C:\Program Files\RocketDock\RocketDock.exe[2880] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 001F0600 .text C:\Program Files\RocketDock\RocketDock.exe[2880] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 0175008D .text C:\Program Files\RocketDock\RocketDock.exe[2880] ws2_32.dll!connect 75636BDD 5 Bytes JMP 0175002D .text C:\Program Files\RocketDock\RocketDock.exe[2880] ws2_32.dll!getpeername 75637147 5 Bytes JMP 017500BD .text C:\Program Files\RocketDock\RocketDock.exe[2880] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0175005D .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001003FC .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00100804 .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001001F8 .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00100600 .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] WS2_32.dll!getsockname 756330AF 5 Bytes JMP 003A008D .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] WS2_32.dll!connect 75636BDD 5 Bytes JMP 003A002D .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] WS2_32.dll!getpeername 75637147 5 Bytes JMP 003A00BD .text C:\Program Files\Ad Muncher\AdMunchUDa.exe[2924] WS2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 003A005D .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 005E0A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 005E03FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 005E0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 005E01F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 005E0600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] WS2_32.dll!getsockname 756330AF 5 Bytes JMP 01A4008D .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] WS2_32.dll!connect 75636BDD 5 Bytes JMP 01A4002D .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] WS2_32.dll!getpeername 75637147 5 Bytes JMP 01A400BD .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3116] WS2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 01A4005D .text C:\Windows\system32\svchost.exe[3260] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3260] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3260] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 654EC930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] kernel32.dll!MapViewOfFile 759E93DB 5 Bytes JMP 6571E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] kernel32.dll!VirtualAlloc 759EC43A 5 Bytes JMP 6571E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 000F0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 000F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 000F0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 000F01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 000F0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] GDI32.dll!CreateDIBSection 76CA8850 5 Bytes JMP 6571E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] WS2_32.dll!getsockname 756330AF 5 Bytes JMP 00BF008D .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] WS2_32.dll!connect 75636BDD 5 Bytes JMP 00BF002D .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] WS2_32.dll!getpeername 75637147 5 Bytes JMP 00BF00BD .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] WS2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 00BF005D .text C:\Windows\system32\SearchIndexer.exe[3536] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3536] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3536] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3536] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3536] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3536] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3536] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3536] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00100600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] WS2_32.dll!getsockname 756330AF 5 Bytes JMP 0524008D .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] WS2_32.dll!connect 75636BDD 5 Bytes JMP 0524002D .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] WS2_32.dll!getpeername 75637147 5 Bytes JMP 052400BD .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] WS2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0524005D .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00240A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 002403FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00240804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 002401F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3700] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00240600 .text C:\Windows\system32\AUDIODG.EXE[5164] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\AUDIODG.EXE[5164] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\AUDIODG.EXE[5164] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[5164] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00140A08 .text C:\Windows\system32\AUDIODG.EXE[5164] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 001403FC .text C:\Windows\system32\AUDIODG.EXE[5164] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00140804 .text C:\Windows\system32\AUDIODG.EXE[5164] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 001401F8 .text C:\Windows\system32\AUDIODG.EXE[5164] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00140600 .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] ntdll.dll!LdrUnloadDll 7723C86E 5 Bytes JMP 001603FC .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] ntdll.dll!LdrLoadDll 7724223E 5 Bytes JMP 001601F8 .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] kernel32.dll!GetBinaryTypeW + 70 75A069F4 1 Byte [62] .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] USER32.dll!UnhookWindowsHookEx 76D7CC7B 5 Bytes JMP 00320A08 .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] USER32.dll!UnhookWinEvent 76D7D924 5 Bytes JMP 003203FC .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] USER32.dll!SetWindowsHookExW 76D8210A 5 Bytes JMP 00320804 .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] USER32.dll!SetWinEventHook 76D8507E 5 Bytes JMP 003201F8 .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] USER32.dll!SetWindowsHookExA 76DA6DFA 5 Bytes JMP 00320600 .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] ws2_32.dll!getsockname 756330AF 5 Bytes JMP 0038008D .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] ws2_32.dll!connect 75636BDD 5 Bytes JMP 0038002D .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] ws2_32.dll!getpeername 75637147 5 Bytes JMP 003800BD .text C:\Users\Lenovo\Desktop\qhiifbmt.exe[5516] ws2_32.dll!WSAConnect 7563CC3F 5 Bytes JMP 0038005D ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1368] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71A2F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71A2F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269f2d638 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269f2d638@0024835b3c39 0x3E 0x5B 0xE7 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269f2d638@3c5a3710316f 0x89 0x99 0xC2 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269f2d638@2cd2e76559ba 0x28 0x85 0xAF 0xA6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269f2d638 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269f2d638@0024835b3c39 0x3E 0x5B 0xE7 0xDE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269f2d638@3c5a3710316f 0x89 0x99 0xC2 0xAF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269f2d638@2cd2e76559ba 0x28 0x85 0xAF 0xA6 ... ---- EOF - GMER 1.0.15 ----