GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-04 16:43:24 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9160821AS rev.3.ALD Running: gmer.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\uwdirpod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x89EFEFC4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9050C510] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x89F01456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x89F014AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x89F015C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x89F013AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x89F014FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x89F01400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x89F01572] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x89EFEFE8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9050C5C0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x89EFEDB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x89EFF00C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x89F019BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x89EFFAA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x89F01486] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x89F014D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x89F015EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x89F013D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x89F0153E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x89F0142E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x89F0159C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x9050C658] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x89EFF96A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x89EFF030] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x89EFF054] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x89EFEE0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x89EFEF48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x89EFEF24] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x89EFEF6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x89EFF078] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x905207A2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKey + 13CD 830399A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830594E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 1393 83060750 4 Bytes [C4, EF, EF, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 13BB 83060778 4 Bytes [10, C5, 50, 90] {ADC CH, AL; PUSH EAX; NOP } .text ntoskrnl.exe!KeRemoveQueueEx + 146F 8306082C 8 Bytes [56, 14, F0, 89, AE, 14, F0, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 147B 83060838 4 Bytes [C4, 15, F0, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 1497 83060854 4 Bytes [AC, 13, F0, 89] .text ... PAGE ntoskrnl.exe!ObMakeTemporaryObject 831E640E 5 Bytes JMP 9051D69C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!RtlCompareUnicodeStrings + 50C 8320D916 5 Bytes JMP 9051F174 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 108 8321406F 4 Bytes CALL 89F00025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwAlpcSendWaitReceivePort + 122 83250C8D 4 Bytes CALL 89F0003B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 832D67D4 7 Bytes JMP 905207A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[328] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[328] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[328] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[468] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[472] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[472] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[472] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[556] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[556] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[556] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[556] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wininit.exe[556] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 000C03FC .text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\csrss.exe[568] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\services.exe[612] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[612] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[612] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[628] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[628] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[628] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\lsm.exe[636] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsm.exe[636] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsm.exe[636] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[732] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[732] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[804] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[804] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[804] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[804] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\winlogon.exe[804] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001003FC .text C:\Windows\system32\winlogon.exe[804] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\winlogon.exe[804] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\winlogon.exe[804] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[924] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[924] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[924] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[924] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00190A08 .text C:\Windows\System32\svchost.exe[924] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001903FC .text C:\Windows\System32\svchost.exe[924] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00190804 .text C:\Windows\System32\svchost.exe[924] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001901F8 .text C:\Windows\System32\svchost.exe[924] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00190600 .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1004] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 008D0A08 .text C:\Windows\System32\svchost.exe[1004] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 008D03FC .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 008D0804 .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 008D01F8 .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 008D0600 .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1044] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1044] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00E80A08 .text C:\Windows\system32\svchost.exe[1044] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 00E803FC .text C:\Windows\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00E80804 .text C:\Windows\system32\svchost.exe[1044] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 00E801F8 .text C:\Windows\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00E80600 .text C:\Windows\system32\AUDIODG.EXE[1140] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1212] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1212] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 003D0A08 .text C:\Windows\system32\svchost.exe[1212] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 003D03FC .text C:\Windows\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 003D0804 .text C:\Windows\system32\svchost.exe[1212] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 003D01F8 .text C:\Windows\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 003D0600 .text C:\Windows\system32\svchost.exe[1352] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1352] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1352] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1352] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 008F0A08 .text C:\Windows\system32\svchost.exe[1352] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 008F03FC .text C:\Windows\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 008F0804 .text C:\Windows\system32\svchost.exe[1352] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 008F01F8 .text C:\Windows\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 008F0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 5D2EB750 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 000F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[1372] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 000F0600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1492] kernel32.dll!SetUnhandledExceptionFilter 759BF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1492] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1768] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1768] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1768] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1768] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00360A08 .text C:\Windows\system32\svchost.exe[1768] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 003603FC .text C:\Windows\system32\svchost.exe[1768] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00360804 .text C:\Windows\system32\svchost.exe[1768] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 003601F8 .text C:\Windows\system32\svchost.exe[1768] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00360600 .text C:\Windows\system32\svchost.exe[1912] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1912] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1912] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Users\Daniel\Desktop\gmer.exe[1920] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe[1996] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001503FC .text C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe[1996] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001501F8 .text C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe[1996] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000903FC .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000901F8 .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00130A08 .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001303FC .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00130804 .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001301F8 .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2020] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00130600 .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 004F0A08 .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 004F03FC .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 004F0804 .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 004F01F8 .text C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe[2192] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 004F0600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001503FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001501F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001F03FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2284] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\WUDFHost.exe[2316] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\WUDFHost.exe[2316] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\WUDFHost.exe[2316] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[2316] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\WUDFHost.exe[2316] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001003FC .text C:\Windows\system32\WUDFHost.exe[2316] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\WUDFHost.exe[2316] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\WUDFHost.exe[2316] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[2364] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2364] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2364] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2364] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 002E0A08 .text C:\Windows\system32\svchost.exe[2364] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 002E03FC .text C:\Windows\system32\svchost.exe[2364] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 002E0804 .text C:\Windows\system32\svchost.exe[2364] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 002E01F8 .text C:\Windows\system32\svchost.exe[2364] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 002E0600 .text C:\Windows\system32\taskhost.exe[2456] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2456] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2456] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2456] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskhost.exe[2456] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 000703FC .text C:\Windows\system32\taskhost.exe[2456] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00070804 .text C:\Windows\system32\taskhost.exe[2456] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskhost.exe[2456] USER32.dll!SetWindowsHookExA 757B6D0C 3 Bytes JMP 00070600 .text C:\Windows\system32\taskhost.exe[2456] USER32.dll!SetWindowsHookExA + 4 757B6D10 1 Byte [8A] .text C:\Windows\system32\Dwm.exe[2588] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[2588] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[2588] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2588] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[2588] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[2588] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[2588] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[2588] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 000F0600 .text C:\Windows\Explorer.EXE[2644] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[2644] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[2644] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\Explorer.EXE[2644] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00150A08 .text C:\Windows\Explorer.EXE[2644] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001503FC .text C:\Windows\Explorer.EXE[2644] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00150804 .text C:\Windows\Explorer.EXE[2644] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001501F8 .text C:\Windows\Explorer.EXE[2644] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00150600 .text C:\Windows\System32\rundll32.exe[2704] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2704] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2704] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2704] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[2704] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[2704] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[2704] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[2704] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00100600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000A03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000A01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2860] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00140600 .text C:\Windows\System32\hkcmd.exe[3000] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[3000] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[3000] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[3000] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\hkcmd.exe[3000] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 002003FC .text C:\Windows\System32\hkcmd.exe[3000] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\hkcmd.exe[3000] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\hkcmd.exe[3000] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\igfxpers.exe[3008] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[3008] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[3008] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[3008] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\igfxpers.exe[3008] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 002003FC .text C:\Windows\System32\igfxpers.exe[3008] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\igfxpers.exe[3008] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\igfxpers.exe[3008] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\igfxsrvc.exe[3032] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[3032] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[3032] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[3032] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\igfxsrvc.exe[3032] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\igfxsrvc.exe[3032] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\igfxsrvc.exe[3032] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\igfxsrvc.exe[3032] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 02F90A08 .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 02F903FC .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 02F90804 .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 02F901F8 .text C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe[3060] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 02F90600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 001A0A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001A03FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 001A0804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001A01F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3188] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 001A0600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3228] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00300A08 .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 003003FC .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00300804 .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 003001F8 .text C:\Program Files\REALTEK\Audio\HDA\RtHDVCpl.exe[3292] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00300600 .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001F03FC .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Mobinil USB modem\AutoDect.exe[3300] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 000F03FC .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3340] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 000F0600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3368] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 000E0A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 000E03FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 000E0804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 000E01F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3416] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 000E0600 .text C:\Program Files\RocketDock\RocketDock.exe[3432] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001603FC .text C:\Program Files\RocketDock\RocketDock.exe[3432] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001601F8 .text C:\Program Files\RocketDock\RocketDock.exe[3432] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\RocketDock\RocketDock.exe[3432] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\RocketDock\RocketDock.exe[3432] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001F03FC .text C:\Program Files\RocketDock\RocketDock.exe[3432] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 001F0804 .text C:\Program Files\RocketDock\RocketDock.exe[3432] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001F01F8 .text C:\Program Files\RocketDock\RocketDock.exe[3432] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\SearchIndexer.exe[3636] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3636] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3636] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3636] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3636] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3636] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3636] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3636] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00100600 .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 001503FC .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 001501F8 .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00BA0A08 .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 00BA03FC .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00BA0804 .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 00BA01F8 .text C:\Program Files\Mobinil USB modem\UIMain.exe[3820] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00BA0600 .text C:\Windows\System32\svchost.exe[4084] ntdll.dll!LdrUnloadDll 7734C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[4084] ntdll.dll!LdrLoadDll 7735223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[4084] kernel32.dll!GetBinaryTypeW + 70 759D69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[4084] USER32.dll!UnhookWindowsHookEx 7578ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\svchost.exe[4084] USER32.dll!UnhookWinEvent 7578B750 5 Bytes JMP 001403FC .text C:\Windows\System32\svchost.exe[4084] USER32.dll!SetWindowsHookExW 7578E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\svchost.exe[4084] USER32.dll!SetWinEventHook 757924DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\svchost.exe[4084] USER32.dll!SetWindowsHookExA 757B6D0C 5 Bytes JMP 00140600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740F2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740D5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740D56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740F24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740E8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740E4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740E506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740E5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [740E6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740E826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740E87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740E901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740EE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740E4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2704] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7537FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2704] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7537FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2704] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7537FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2704] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7537FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xB0 0xC7 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCA 0x21 0x69 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x70 0x3D 0x42 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x70 0x3D 0x42 0x25 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xB0 0xC7 0xF4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCA 0x21 0x69 0x2A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x70 0x3D 0x42 0x25 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x70 0x3D 0x42 0x25 ... ---- EOF - GMER 1.0.15 ----