Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a browser redirector


  • This topic is locked This topic is locked
5 replies to this topic

#1 Gcacti

Gcacti

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 07 October 2011 - 06:47 PM

For the past few days, I've seem to have contracted some manner of malware that redirects my searches to random advertisement sites and other disreputable sites. When I try to use Google, it sometimes redirects Google into the Italian or Lithuanian versions. Also, when attempting to browse the web, everything has greatly decreased in speed, locking up entirely or blue screening.

I've run AVG searches, Spybot Search and Destroy, Malwarebytes, TDSS killer, Hitman, ESET, Combofix, and Superantispyware, but no luck with any of those.
Before making this post, I went through the guide and ran into problems when I reached the GMER part. My computer always seemed to crash before the scan could reach completion.

Also, I cannot seem to determine the name of the infection; at best, I've been able to use Hitman to narrow down the infection to Wdf1000.sys and dllhost.exe in my drivers and system32 folders, respectively, but these are valid Windows files that are probably being used as surrogates. I'm not certain how to deal with the infection within them without losing core functionality.

I'm currently using Windows 7. Any help would be greatly appreciated. Thank you for your time and consideration.

Edit: Finally got GMER to fully complete a scan; adding the log for that in as well.

DDS LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Cacti2 at 1:42:47 on 2011-10-07
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3068.1848 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
C:\Windows\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Cacti2\Desktop\mbam-setup-1.51.2.1300.exe
C:\Users\Cacti2\AppData\Local\Temp\is-KTOF8.tmp\mbam-setup-1.51.2.1300.tmp
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFU3SEctWUxVVlUtRVMyRUctUUY3WEMtVkxDOVctUTRMWkc"&"inst=NzctNzQxOTA5NjE4LVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzUtRjlNMTBCKzItRjlNMisxLUZMMTArMS1ERFQrMzkwMDMtTFNEKzItREQxMEYrMS1TVDEwRkFQUCsxLUwxME0rMi1GMTBNMTJBVCsxMS1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1TVDEyRk9JKzEtRjEwTTEyQVUrMS1FVUxBKzEtU1QxMkZBUFArMS1TVEYxME0xMkFVRisx"&"prod=90"&"ver=2012.0.1831"&"mid=ea05bfd67d9e5cd1e2f934dd3e74c73e-2acf45f1b16d67c6bedb6cd1db5c2c334e4fcf14
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7AF5D18E-E13A-4FB0-9C61-557603A582AD} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-24 91456]
R2 MSSQL$CACTISERVER;SQL Server (CACTISERVER);c:\program files\microsoft sql server\mssql10_50.cactiserver\mssql\binn\sqlservr.exe [2010-4-3 42884448]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-26 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-9-2 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-9-2 416112]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-6 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 COOYB;COOYB;c:\users\cacti2\appdata\local\temp\cooyb.exe --> c:\users\cacti2\appdata\local\temp\COOYB.exe [?]
S3 DMY;DMY;c:\users\cacti2\appdata\local\temp\dmy.exe --> c:\users\cacti2\appdata\local\temp\DMY.exe [?]
S3 DNRSKJIY;DNRSKJIY;c:\users\cacti2\appdata\local\temp\dnrskjiy.exe --> c:\users\cacti2\appdata\local\temp\DNRSKJIY.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-6 136176]
S3 LUE;LUE;c:\users\cacti2\appdata\local\temp\lue.exe --> c:\users\cacti2\appdata\local\temp\LUE.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-12-27 31124344]
S3 MLNJYP;MLNJYP;c:\users\cacti2\appdata\local\temp\mlnjyp.exe --> c:\users\cacti2\appdata\local\temp\MLNJYP.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-6-18 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-6-18 23936]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-26 20080]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 VYVEYGPNULBY;VYVEYGPNULBY;c:\users\cacti2\appdata\local\temp\vyveygpnulby.exe --> c:\users\cacti2\appdata\local\temp\VYVEYGPNULBY.exe [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-9-2 16240]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-27 1343400]
S3 WQDM;WQDM;c:\users\cacti2\appdata\local\temp\wqdm.exe --> c:\users\cacti2\appdata\local\temp\WQDM.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$CACTISERVER;SQL Server Agent (CACTISERVER);c:\program files\microsoft sql server\mssql10_50.cactiserver\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-10-07 03:48:20 -------- d-----w- c:\users\cacti2\appdata\roaming\SUPERAntiSpyware.com
2011-10-07 03:48:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-10-07 03:48:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-07 03:14:44 -------- d-----w- C:\_OTM
2011-10-07 02:27:04 -------- d-----w- c:\windows\pss
2011-10-07 00:52:35 -------- d-----w- c:\program files\ESET
2011-10-07 00:06:45 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-07 00:06:42 -------- d-----w- c:\users\cacti2\appdata\local\temp
2011-10-06 23:54:51 98816 ----a-w- c:\windows\sed.exe
2011-10-06 23:54:51 518144 ----a-w- c:\windows\SWREG.exe
2011-10-06 23:54:51 256000 ----a-w- c:\windows\PEV.exe
2011-10-06 23:54:51 208896 ----a-w- c:\windows\MBR.exe
2011-10-06 21:58:03 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-09-28 05:41:58 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-09-27 15:29:08 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-09-27 15:28:17 -------- d-----w- c:\users\cacti2\appdata\roaming\AVG2012
2011-09-27 15:27:55 -------- d-----w- c:\programdata\AVG2012
2011-09-27 04:04:22 -------- d-----w- c:\program files\SWF to AVI
2011-09-26 22:07:08 -------- d-----w- c:\users\cacti2\appdata\roaming\Adobe Mini Bridge CS5
2011-09-26 22:07:07 -------- d-----w- c:\users\cacti2\appdata\roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-09-07 20:10:23 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-09-07 20:09:38 -------- d-----w- c:\program files\Microsoft Analysis Services
.
==================== Find3M ====================
.
2011-10-06 14:51:33 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-10-06 14:51:22 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-10-06 14:51:22 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-06 14:49:32 281200 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-09-26 17:33:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-04 20:37:38 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 1:43:56.58 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-08 00:05:16
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD3200AAJS-00L7A0 rev.01.03E01
Running: gmer.exe; Driver: C:\Users\Cacti2\AppData\Local\Temp\pxldqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xC9393374]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xCEC2C2B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xC9395996]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xC93959EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xC9395B04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xC93958EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xC9395A3E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xC9395940]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xC9395AB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xC9393398]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xCEC2C368]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xC9393162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xC93933BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xC9395EFC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xC9393E54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xC93959C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xC9395A16]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xC9395B2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xC9395918]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xC9395A7E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xC939596E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xC9395ADC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xCEC2C400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xC9393D1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xC93933E0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xC9393404]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xC93931BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xC93932F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xC93932D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xC939331C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xC9393428]

INT 0x61 ? C40C97D8
INT 0x62 ? C333B058
INT 0x71 ? C40C92D8
INT 0x72 ? C333B558
INT 0x80 ? C333B7D8
INT 0x81 ? C40C9558
INT 0x82 ? C3313058
INT 0x90 ? C3313558
INT 0x92 ? C333BCD8
INT 0xA0 ? C33137D8
INT 0xA2 ? C333BA58
INT 0xB0 ? C3313A58
INT 0xB1 ? C3313CD8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD E2C7C569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E2CA1092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 214 E2CA8824 4 Bytes [74, 33, 39, C9] {JZ 0x35; CMP ECX, ECX}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C E2CA884C 4 Bytes [B8, C2, C2, CE]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F0 E2CA8900 8 Bytes [96, 59, 39, C9, EE, 59, 39, ...] {XCHG ESI, EAX; POP ECX; CMP ECX, ECX; OUT DX, AL ; POP ECX; CMP ECX, ECX}
.text ntkrnlpa.exe!RtlSidHashLookup + 2FC E2CA890C 4 Bytes [04, 5B, 39, C9] {ADD AL, 0x5b; CMP ECX, ECX}
.text ntkrnlpa.exe!RtlSidHashLookup + 318 E2CA8928 4 Bytes [EC, 58, 39, C9] {IN AL, DX ; POP EAX; CMP ECX, ECX}
.text ...
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 E2EA65CA 4 Bytes CALL C93944C5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwResumeThread E2EAB4AE 1 Byte [CC] {INT 3 }
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 E2EAE6A4 4 Bytes CALL C93944DB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? System32\Drivers\sphm.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload + 1 C8CC2AD7 4 Bytes JMP C326D1D9
.text USBPORT.SYS!DllUnload D1656CA0 5 Bytes JMP C3BDE1D8
.text afcm897f.SYS D16E7000 12 Bytes [44, 78, C0, E2, EE, 76, C0, ...]
.text afcm897f.SYS D16E700D 9 Bytes [57, C0, E2, 48, 7B, C0, E2, ...]
.text afcm897f.SYS D16E7017 41 Bytes [00, DE, 87, B2, C8, E6, 85, ...]
.text afcm897f.SYS D16E7041 76 Bytes [16, CA, E2, 60, 15, CA, E2, ...]
.text afcm897f.SYS D16E708E 51 Bytes [CA, E2, 6C, 00, C8, E2, 18, ...]
.text ...
.text kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text user32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes [E9, 88, 3D, D9, 8A] {JMP 0xffffffff8ad93d8d}
.text user32.dll!UnhookWinEvent 7564D924 5 Bytes [E9, D3, 2A, D9, 8A] {JMP 0xffffffff8ad92ad8}
.text user32.dll!SetWindowsHookExW 7565210A 5 Bytes [E9, F5, E6, D8, 8A] {JMP 0xffffffff8ad8e6fa}
.text user32.dll!SetWinEventHook 7565507E 5 Bytes [E9, 75, B1, D8, 8A] {JMP 0xffffffff8ad8b17a}
.text user32.dll!SetWindowsHookExA 75676DFA 5 Bytes [E9, 01, 98, D6, 8A] {JMP 0xffffffff8ad69806}

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\csrss.exe[484] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\wininit.exe[552] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[552] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[552] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\wininit.exe[552] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000C0A08
.text C:\Windows\system32\wininit.exe[552] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000C03FC
.text C:\Windows\system32\wininit.exe[552] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000C0804
.text C:\Windows\system32\wininit.exe[552] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[552] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000C0600
.text C:\Windows\system32\csrss.exe[560] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[596] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[596] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[596] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[596] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Windows\system32\winlogon.exe[596] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Windows\system32\services.exe[652] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\services.exe[652] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\services.exe[652] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[680] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[680] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[680] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[680] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00240A08
.text C:\Windows\System32\spoolsv.exe[680] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 002403FC
.text C:\Windows\System32\spoolsv.exe[680] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00240804
.text C:\Windows\System32\spoolsv.exe[680] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 002401F8
.text C:\Windows\System32\spoolsv.exe[680] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00240600
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[684] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\lsass.exe[684] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00080A08
.text C:\Windows\system32\lsass.exe[684] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000803FC
.text C:\Windows\system32\lsass.exe[684] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00080804
.text C:\Windows\system32\lsass.exe[684] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsass.exe[684] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00080600
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsm.exe[692] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[792] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[792] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[792] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[872] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[872] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[872] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[872] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001F0A08
.text C:\Windows\system32\nvvsvc.exe[872] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001F03FC
.text C:\Windows\system32\nvvsvc.exe[872] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001F0804
.text C:\Windows\system32\nvvsvc.exe[872] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001F01F8
.text C:\Windows\system32\nvvsvc.exe[872] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001F0600
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\System32\svchost.exe[976] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[976] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[976] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\System32\svchost.exe[976] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001C0A08
.text C:\Windows\System32\svchost.exe[976] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001C03FC
.text C:\Windows\System32\svchost.exe[976] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001C0804
.text C:\Windows\System32\svchost.exe[976] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001C01F8
.text C:\Windows\System32\svchost.exe[976] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001C0600
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00580A08
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 005803FC
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00580804
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 005801F8
.text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00580600
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[1076] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00BD0A08
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 00BD03FC
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00BD0804
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 00BD01F8
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00BD0600
.text C:\Windows\system32\AUDIODG.EXE[1148] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1212] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00130A08
.text C:\Windows\system32\svchost.exe[1212] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001303FC
.text C:\Windows\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00130804
.text C:\Windows\system32\svchost.exe[1212] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001301F8
.text C:\Windows\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00130600
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000D03FC
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000D01F8
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000F0A08
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000F03FC
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000F0804
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000F01F8
.text C:\Program Files\Tablet\Pen\Pen_TouchService.exe[1288] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000F0600
.text C:\Windows\system32\taskhost.exe[1340] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[1340] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[1340] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[1340] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000E0A08
.text C:\Windows\system32\taskhost.exe[1340] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000E03FC
.text C:\Windows\system32\taskhost.exe[1340] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000E0804
.text C:\Windows\system32\taskhost.exe[1340] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000E01F8
.text C:\Windows\system32\taskhost.exe[1340] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000E0600
.text C:\Windows\system32\svchost.exe[1348] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[1348] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1348] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00210A08
.text C:\Windows\system32\svchost.exe[1348] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 002103FC
.text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00210804
.text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 002101F8
.text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00210600
.text C:\Windows\system32\svchost.exe[1384] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1384] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1384] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00550A08
.text C:\Windows\system32\svchost.exe[1384] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 005503FC
.text C:\Windows\system32\svchost.exe[1384] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00550804
.text C:\Windows\system32\svchost.exe[1384] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 005501F8
.text C:\Windows\system32\svchost.exe[1384] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00550600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] kernel32.dll!SetUnhandledExceptionFilter 75CD3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001F03FC
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001F0804
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001F01F8
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1492] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001F0600
.text C:\Windows\system32\nvvsvc.exe[1504] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[1504] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[1504] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[1504] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001F0A08
.text C:\Windows\system32\nvvsvc.exe[1504] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001F03FC
.text C:\Windows\system32\nvvsvc.exe[1504] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001F0804
.text C:\Windows\system32\nvvsvc.exe[1504] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001F01F8
.text C:\Windows\system32\nvvsvc.exe[1504] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001F0600
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1540] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00080A08
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000803FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00080804
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000801F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00080600
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Windows\SYSTEM32\WISPTIS.EXE[1728] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000F0A08
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000F03FC
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000F0804
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000F01F8
.text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1736] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000F0600
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[1800] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Windows\system32\Dwm.exe[1916] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\Dwm.exe[1916] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\Dwm.exe[1916] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1916] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00130A08
.text C:\Windows\system32\Dwm.exe[1916] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001303FC
.text C:\Windows\system32\Dwm.exe[1916] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00130804
.text C:\Windows\system32\Dwm.exe[1916] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001301F8
.text C:\Windows\system32\Dwm.exe[1916] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00130600
.text C:\Windows\Explorer.EXE[1980] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000E03FC
.text C:\Windows\Explorer.EXE[1980] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000E01F8
.text C:\Windows\Explorer.EXE[1980] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\Explorer.EXE[1980] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00290A08
.text C:\Windows\Explorer.EXE[1980] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 002903FC
.text C:\Windows\Explorer.EXE[1980] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00290804
.text C:\Windows\Explorer.EXE[1980] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 002901F8
.text C:\Windows\Explorer.EXE[1980] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00290600
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2072] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00090A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000903FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00090804
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000901F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[2104] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00090600
.text C:\Windows\system32\svchost.exe[2160] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[2160] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[2160] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001F03FC
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001F0804
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe[2200] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001F0600
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001B0A08
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001B03FC
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001B0804
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001B01F8
.text c:\Program Files\Microsoft SQL Server\MSSQL10_50.CACTISERVER\MSSQL\Binn\sqlservr.exe[2248] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001B0600
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00200A08
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 002003FC
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00200804
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 002001F8
.text C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe[2316] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00200600
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001B0A08
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001B03FC
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001B0804
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001B01F8
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2448] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001B0600
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe[2576] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Windows\system32\PnkBstrA.exe[2728] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001503FC
.text C:\Windows\system32\PnkBstrA.exe[2728] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001501F8
.text C:\Windows\system32\PnkBstrA.exe[2728] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\PnkBstrA.exe[2728] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00170A08
.text C:\Windows\system32\PnkBstrA.exe[2728] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001703FC
.text C:\Windows\system32\PnkBstrA.exe[2728] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00170804
.text C:\Windows\system32\PnkBstrA.exe[2728] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001701F8
.text C:\Windows\system32\PnkBstrA.exe[2728] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00170600
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2776] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00200A08
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 002003FC
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00200804
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 002001F8
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2800] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00200600
.text C:\Windows\system32\svchost.exe[2844] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[2844] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[2844] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000503FC
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000501F8
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000F0A08
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000F03FC
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000F0804
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000F01F8
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3004] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000F0600
.text C:\Windows\system32\SearchIndexer.exe[3352] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\SearchIndexer.exe[3352] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\SearchIndexer.exe[3352] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3352] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00090A08
.text C:\Windows\system32\SearchIndexer.exe[3352] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000903FC
.text C:\Windows\system32\SearchIndexer.exe[3352] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00090804
.text C:\Windows\system32\SearchIndexer.exe[3352] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000901F8
.text C:\Windows\system32\SearchIndexer.exe[3352] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00090600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3400] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001F03FC
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 001F0804
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001F01F8
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3452] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 001F0600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00090A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000903FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00090804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000901F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3468] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00090600
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00180A08
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001803FC
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00180804
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001801F8
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3544] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00180600
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000503FC
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000501F8
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000F0A08
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000F03FC
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000F0804
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000F01F8
.text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[3652] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000F0600
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000503FC
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000501F8
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000F0A08
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000F03FC
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000F0804
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000F01F8
.text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[3984] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000F0600
.text C:\Windows\system32\svchost.exe[4212] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[4212] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[4212] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\svchost.exe[4212] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 003F0A08
.text C:\Windows\system32\svchost.exe[4212] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 003F03FC
.text C:\Windows\system32\svchost.exe[4212] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 003F0804
.text C:\Windows\system32\svchost.exe[4212] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 003F01F8
.text C:\Windows\system32\svchost.exe[4212] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 003F0600
.text C:\Windows\system32\SearchProtocolHost.exe[4356] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchProtocolHost.exe[4356] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchProtocolHost.exe[4356] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\SearchProtocolHost.exe[4356] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 000F0A08
.text C:\Windows\system32\SearchProtocolHost.exe[4356] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 000F03FC
.text C:\Windows\system32\SearchProtocolHost.exe[4356] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 000F0804
.text C:\Windows\system32\SearchProtocolHost.exe[4356] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 000F01F8
.text C:\Windows\system32\SearchProtocolHost.exe[4356] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 000F0600
.text C:\Windows\system32\SearchFilterHost.exe[4396] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\system32\SearchFilterHost.exe[4396] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\system32\SearchFilterHost.exe[4396] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\SearchFilterHost.exe[4396] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00100A08
.text C:\Windows\system32\SearchFilterHost.exe[4396] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001003FC
.text C:\Windows\system32\SearchFilterHost.exe[4396] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00100804
.text C:\Windows\system32\SearchFilterHost.exe[4396] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001001F8
.text C:\Windows\system32\SearchFilterHost.exe[4396] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00100600
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001603FC
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001601F8
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 003E0A08
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 003E03FC
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 003E0804
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 003E01F8
.text C:\Users\Cacti2\Desktop\gmer\gmer.exe[5192] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 003E0600
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00130A08
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001303FC
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00130804
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001301F8
.text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5224] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00130600
.text C:\Windows\System32\svchost.exe[5304] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[5304] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[5304] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 001703FC
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 001701F8
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00210A08
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 002103FC
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00210804
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 002101F8
.text C:\Program Files\Google\Update\GoogleUpdate.exe[5548] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00210600
.text C:\Windows\system32\sppsvc.exe[5644] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000703FC
.text C:\Windows\system32\sppsvc.exe[5644] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000701F8
.text C:\Windows\system32\sppsvc.exe[5644] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\system32\sppsvc.exe[5644] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00150A08
.text C:\Windows\system32\sppsvc.exe[5644] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001503FC
.text C:\Windows\system32\sppsvc.exe[5644] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00150804
.text C:\Windows\system32\sppsvc.exe[5644] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001501F8
.text C:\Windows\system32\sppsvc.exe[5644] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00150600
.text C:\Windows\System32\svchost.exe[5704] ntdll.dll!LdrUnloadDll 7708BEAF 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[5704] ntdll.dll!LdrLoadDll 7708F5B5 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[5704] kernel32.dll!GetBinaryTypeW + 70 75CE7984 1 Byte [62]
.text C:\Windows\System32\svchost.exe[5704] USER32.dll!UnhookWindowsHookEx 7564CC7B 5 Bytes JMP 00110A08
.text C:\Windows\System32\svchost.exe[5704] USER32.dll!UnhookWinEvent 7564D924 5 Bytes JMP 001103FC
.text C:\Windows\System32\svchost.exe[5704] USER32.dll!SetWindowsHookExW 7565210A 5 Bytes JMP 00110804
.text C:\Windows\System32\svchost.exe[5704] USER32.dll!SetWinEventHook 7565507E 5 Bytes JMP 001101F8
.text C:\Windows\System32\svchost.exe[5704] USER32.dll!SetWindowsHookExA 75676DFA 5 Bytes JMP 00110600

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs C32731F8
Device \Driver\volmgr \Device\VolMgrControl C326F1F8
Device \Driver\usbuhci \Device\USBPDO-0 C3AB61F8
Device \Driver\usbuhci \Device\USBPDO-1 C3AB61F8
Device \Driver\usbuhci \Device\USBPDO-2 C3AB61F8
Device \Driver\usbuhci \Device\USBPDO-3 C3AB61F8
Device \Driver\usbehci \Device\USBPDO-4 C3AC1500

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{7AF5D18E-E13A-4FB0-9C61-557603A582AD} C39151F8
Device \Driver\volmgr \Device\HarddiskVolume1 C326F1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\sptd \Device\2878303493 sphm.sys
Device \Driver\PCI_PNP5492 \Device\00000058 sphm.sys
Device \Driver\cdrom \Device\CdRom0 C38021F8
Device \Driver\atapi \Device\Ide\IdePort0 C32711F8
Device \Driver\atapi \Device\Ide\IdePort1 C32711F8
Device \Driver\atapi \Device\Ide\IdePort2 C32711F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 C32711F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-4 C32711F8
Device \Driver\cdrom \Device\CdRom1 C38021F8
Device \Driver\cdrom \Device\CdRom2 C38021F8
Device \Driver\NetBT \Device\NetBt_Wins_Export C39151F8
Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBFDO-0 C3AB61F8
Device \Driver\usbuhci \Device\USBFDO-1 C3AB61F8
Device \Driver\usbuhci \Device\USBFDO-2 C3AB61F8
Device \Driver\usbuhci \Device\USBFDO-3 C3AB61F8
Device \Driver\usbehci \Device\USBFDO-4 C3AC1500
Device \Driver\afcm897f \Device\Scsi\afcm897f1 C3B59500
Device \Driver\afcm897f \Device\Scsi\afcm897f1Port4Path0Target0Lun0 C3B59500
Device \FileSystem\cdfs \Cdfs C38981F8

---- Threads - GMER 1.0.15 ----

Thread System [4:440] C385616D
Thread System [4:728] C4288B90

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB4 0xD4 0x37 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB3 0x83 0xAA 0x65 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC8 0xCE 0x15 0xA2 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB4 0xD4 0x37 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB3 0x83 0xAA 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC8 0xCE 0x15 0xA2 ...

---- EOF - GMER 1.0.15 ----

Edited by Gcacti, 07 October 2011 - 11:08 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:16 PM

Posted 11 October 2011 - 07:54 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:16 PM

Posted 14 October 2011 - 12:24 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Gcacti

Gcacti
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 14 October 2011 - 01:18 AM

Hehe, thanks for the reply, but I've taken care of the issue at hand. I appreciate your offered help.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:16 PM

Posted 14 October 2011 - 01:25 AM

thanks for letting me know


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:16 PM

Posted 17 October 2011 - 07:57 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users