GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-14 11:47:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB2O 232,89GB Running: yh7cx9c1.exe; Driver: C:\Users\Ryba\AppData\Local\Temp\fxrcqaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2400] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 00000001002e075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 00000001002e0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 00000001002e163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 00000001002e1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001002e19f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077cdfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077cdfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cdfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ce0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ce1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077cfc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d01217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758ca30a 1 byte [62] .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075d5ee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075d63982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075d67603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075d6835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Software Informer\softinfo.exe[1568] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000075d7f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077cdfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077cdfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cdfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ce0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ce1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077cfc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d01217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758ca30a 1 byte [62] .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077805181 5 bytes JMP 0000000100141014 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077805254 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000778053d5 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000778054c2 5 bytes JMP 0000000100140c0c .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000778055e2 5 bytes JMP 0000000100140e10 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007780567c 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007780589f 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077805a22 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075d5ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075d63982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075d67603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075d6835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe[836] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075d7f52b 5 bytes JMP 0000000100250a08 .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 000000010029075c .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 000000010029163c .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 0000000100291284 .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001002919f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3840] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 00000001001e075c .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 00000001001e163c .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001001e19f4 .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077cdfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077cdfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cdfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ce0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ce1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077cfc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d01217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758ca30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075d5ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075d63982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075d67603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075d6835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3644] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075d7f52b 5 bytes JMP 0000000100110a08 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 00000001001e075c .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 00000001001e163c .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001001e19f4 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffd36e00 5 bytes JMP 000007ff7fd51dac .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffd36f2c 5 bytes JMP 000007ff7fd50ecc .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffd37220 5 bytes JMP 000007ff7fd51284 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffd3739c 5 bytes JMP 000007ff7fd5163c .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffd37538 5 bytes JMP 000007ff7fd519f4 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffd375e8 5 bytes JMP 000007ff7fd503a4 .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffd3790c 5 bytes JMP 000007ff7fd5075c .text C:\Windows\system32\SearchIndexer.exe[3560] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffd37ab4 5 bytes JMP 000007ff7fd50b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3508] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758ca30a 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 000000010036075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001003603a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 0000000100360b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 0000000100360ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 000000010036163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 0000000100361284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001003619f4 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 000000010021075c .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001002103a4 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 0000000100210b14 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 0000000100210ecc .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 000000010021163c .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 0000000100211284 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001002119f4 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffd36e00 5 bytes JMP 000007ff7fd51dac .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffd36f2c 5 bytes JMP 000007ff7fd50ecc .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffd37220 5 bytes JMP 000007ff7fd51284 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffd3739c 5 bytes JMP 000007ff7fd5163c .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffd37538 5 bytes JMP 000007ff7fd519f4 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffd375e8 5 bytes JMP 000007ff7fd503a4 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffd3790c 5 bytes JMP 000007ff7fd5075c .text C:\Windows\System32\svchost.exe[4668] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffd37ab4 5 bytes JMP 000007ff7fd50b14 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\system32\USER32.dll!UnhookWinEvent 00000000779e8550 5 bytes JMP 000000010038075c .text C:\Windows\System32\svchost.exe[4668] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 00000000779ed440 5 bytes JMP 0000000100381284 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000779ef874 5 bytes JMP 0000000100380ecc .text C:\Windows\System32\svchost.exe[4668] C:\Windows\system32\USER32.dll!SetWinEventHook 00000000779f4d4c 5 bytes JMP 00000001003803a4 .text C:\Windows\System32\svchost.exe[4668] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077a08c20 5 bytes JMP 0000000100380b14 .text C:\Windows\notepad.exe[3332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b03ae0 5 bytes JMP 000000010024075c .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b07a90 5 bytes JMP 00000001002403a4 .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b31490 5 bytes JMP 0000000100240b14 .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b314f0 5 bytes JMP 0000000100240ecc .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b315d0 5 bytes JMP 000000010024163c .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b31810 5 bytes JMP 0000000100241284 .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b32840 5 bytes JMP 00000001002419f4 .text C:\Windows\system32\taskeng.exe[4456] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1912] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007791eecd 1 byte [62] .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077cdfaa0 5 bytes JMP 0000000100030600 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077cdfb38 5 bytes JMP 0000000100030804 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cdfc90 5 bytes JMP 0000000100030c0c .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ce0018 5 bytes JMP 0000000100030a08 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ce1900 5 bytes JMP 0000000100030e10 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077cfc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d01217 5 bytes JMP 00000001000303fc .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758ca30a 1 byte [62] .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077805181 5 bytes JMP 0000000100241014 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077805254 5 bytes JMP 0000000100240804 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000778053d5 5 bytes JMP 0000000100240a08 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000778054c2 5 bytes JMP 0000000100240c0c .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000778055e2 5 bytes JMP 0000000100240e10 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007780567c 5 bytes JMP 00000001002401f8 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007780589f 5 bytes JMP 00000001002403fc .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077805a22 5 bytes JMP 0000000100240600 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075d5ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075d63982 5 bytes JMP 00000001002503fc .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075d67603 5 bytes JMP 0000000100250804 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075d6835c 5 bytes JMP 0000000100250600 .text C:\Users\Ryba\Downloads\yh7cx9c1.exe[4960] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075d7f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [452:1404] 000007fefaa759a0 Thread C:\Windows\System32\svchost.exe [452:1480] 000007fefd061a70 Thread C:\Windows\System32\svchost.exe [452:3964] 000007fef86644e0 Thread C:\Windows\System32\svchost.exe [452:3248] 000007fef88f88f8 Thread C:\Windows\System32\svchost.exe [452:1660] 000007feece2a2b0 Thread C:\Windows\system32\svchost.exe [660:3408] 000007fef730b1b0 Thread C:\Windows\system32\svchost.exe [792:3584] 000007fefad9506c Thread C:\Windows\system32\svchost.exe [792:3668] 000007fefb1f1c20 Thread C:\Windows\system32\svchost.exe [792:3712] 000007fefb1f1c20 Thread C:\Windows\system32\svchost.exe [792:3800] 000007fef44084d8 Thread C:\Windows\system32\svchost.exe [792:1488] 000007fef3cf23a8 Thread C:\Windows\system32\svchost.exe [792:3792] 000007fef3d50d00 Thread C:\Windows\system32\svchost.exe [792:1272] 000007fef3e19498 Thread C:\Windows\system32\svchost.exe [792:2628] 000007fefafe1ab0 Thread C:\Windows\system32\svchost.exe [792:1444] 000007fefadb4164 Thread C:\Windows\system32\svchost.exe [1288:3888] 000007fefb3a2888 Thread C:\Windows\system32\svchost.exe [1288:3124] 000007fefc0d2940 Thread C:\Windows\system32\svchost.exe [1288:3000] 000007fefb3a2a40 Thread C:\Windows\system32\WLANExt.exe [1412:1456] 000000018000b674 Thread C:\Windows\system32\WLANExt.exe [1412:1460] 000000018000b690 Thread C:\Windows\system32\WLANExt.exe [1412:1464] 000000018000b658 Thread C:\Windows\system32\WLANExt.exe [1412:1468] 0000000180022170 Thread C:\Windows\system32\WLANExt.exe [1412:1472] 000007fefa8a2f9c Thread C:\Windows\System32\spoolsv.exe [1820:3992] 000007fef68410c8 Thread C:\Windows\System32\spoolsv.exe [1820:2624] 000007fef6c66144 Thread C:\Windows\System32\spoolsv.exe [1820:3820] 000007fef6645fd0 Thread C:\Windows\System32\spoolsv.exe [1820:3996] 000007fef6c23438 Thread C:\Windows\System32\spoolsv.exe [1820:3428] 000007fef66463ec Thread C:\Windows\System32\spoolsv.exe [1820:3900] 000007fefa8c5e5c Thread C:\Windows\System32\spoolsv.exe [1820:2900] 000007fef6b25074 Thread [2212:4312] 0000000077d13e45 Thread C:\Windows\system32\svchost.exe [1208:3084] 000007fefbab8470 Thread C:\Windows\system32\svchost.exe [1208:3092] 000007fefbac2418 Thread C:\Windows\system32\wbem\wmiprvse.exe [3840:808] 000007fefb1f1c20 Thread C:\Windows\system32\wbem\wmiprvse.exe [3840:968] 000007feff190168 Thread C:\Windows\system32\wbem\wmiprvse.exe [3840:4768] 000007fef57810f0 Thread C:\Windows\System32\svchost.exe [4668:2972] 000007feed879688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ?????????????????c??????????? ???????c??????in???????????????F??FF??????????? ??????????????????????????????????????????????????????????????????????? ???????????????????????????????????????f??? ?????????????????????0??L????????? ???????????????????????????????? ?????????????????????0????????????&???????????????????????? ?????????????????????0????????????????????? ???????????????????~?0????????~?????????????F??????k???????t???????????????o???e???????????B???????s??? ???????|??????t???? ???????m??????????6.1.7600.16385?ene??Microsoft?????F?????????????????????Ty???????????????????????m???????????e???????d??tunnel?269??tunnel?r)???? ???????A???????????????????? ?L???????11???????5?Xes??????????????l???6-21-2006???????1f??????????11??????????@??????????sHo??????????????????!????0??????????Po??czenie lokalne* 33?s5_??????????????? ?????????????????????0????????????&???????????????????????? ?????????????????????0?????????????????????????????????????????????????????????????|??????????????????????????????????? ????? Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Route ????????? ??d???????????????????????????????????????????????????????????????wpdbusenum\fs????????h??????s???????????????????????????????????Microsoft????????i??????????????????????????????STORAGE\VolumeSnapshot??Ex??H:\???????????????????????`??????????????????????}??????Numeric data processor???????d?h???j?????E??Microsoft?????????????&??????????e???????e??????????????.NT??????????????????????d???$????????????????????????????????????????????????????????????>?????????????? ??????????????????k???????u??STORAGE\Volume???????????????????????$???????????????????????????????$??????????????????????????????????????????battery.inf?????????????????????????????e????????`??????????????????????????tunnel?n?n??????????????????@disk.inf,%genmanufacturer%;(Standardowe stacje dysk?w)?????WPD?????????????????e???????$???4????? ??????? ????t?????????? ????????????????????????????????????????? ???????????$???4????? ??????? ????t?????????? ????????????????????????????????????????? ???????????$???4????? ??????? ????t?????????? Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ?????e??????????????*6to4mp?????????????????????????DiskDrive???? ???????@?????????????,?? ???&????????????????????????????????????????s{0??????????????????????????? ???????????????????@?,??????.??????????????e???????6??????????????????????1:Brightness=0.0,Contrast=1.0,Saturation=1.0,Gamma=0.0,Hue=0.0;2:Brightness=-3.0,Contrast=1.16,Saturation=1.25,Gamma=0.0,Hue=0.0;3:Brightness=-3.0,Contrast=1.07,Saturation=1.10,Gamma=0.0,Hue=0.0;4:Brightness=7.0,Contrast=1.25,Saturation=0.96,Gamma=0.0,Hue=0.0?C:??????0????????F???????????????????????????????????????k???????????????????k??? ?????????????????????,??????>????? ???????o????????????????????????????n?????????????????????????a????????????????????????h????????????S???????????n??????????????????????D???? ?????????????????????,??????B??????????????????!???????S????????????????n002???????@???0??????????????a-???????????-???????????h???????@???3??????????????????????????? ??????????????????????????????????????????? ??????????????????????????????????????? ???????@????? Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ?????k????N??????c??????????? ????????????????????????N?????F? ?M???????????????????????????????????????}???USB\VID_07B4&PID_0128\000JAX267818?rpo??? ??????????????????????????????????????????? ???????T?????????????,????????????k?????g????????????????? ???????j?????k?????k????????????#??????????O???????h???????e???k??? ???????k??????????????????????b???????????? ???????k??????????????????????\?????????????X??????????p?????????????????s?????????F?????k?&?????k?&???????????{?????s?????????????s??????el??? `???????????????????:??????????????????????k???????y???????k???????3???????h???????????????????y???k???????????k??? ???????j?????k?????k????????????$? ???????R??????? m???o???????k??? ???????k??????????????????????b???????????{4d36e972-e325-11ce-bfc1-08002be10318}\0002?? ??????????????????? x??????????????????l?l?/???k?????k?&??@netrasa.inf,%msft%;Microsoft?????N????????????D??????N??k?????????D?.??????????VgaSave?????{4d36e97d-e325-11ce-bfc1-08002be10318}???????????????????????k??? ???????j?????k?????k????????????%? ???????C?????4??m?????g?\?????? ????u???????????????????m?n?l?????k?&???????????????????????????|???????k???:???:???????????????n?n?????k???k? Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Route ???T??????????????J??p???????????????q?q?p?????p????????????????t?????,??p?????????e?????????p??????p????????p???s??ep??????????????????????????????????????????? ???????n?????p?? ??p?2??????$???V?????????? F??p??????????????%SystemRoot%\system32\dhcpcore.dll????????R??p?????????e????@%SystemRoot%\system32\dhcpcore.dll,-100?????????p????????h?????%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted????????R??p?????????n????@%SystemRoot%\system32\dhcpcore.dll,-101????? 4??p??????????????NT Authority\LocalService??????? ???? ??? ??????????????????????????????????t???????????? ??????? ???????p???????????e??NSI?Tdx?Afd??BT???????,??p??? ??????? ??????????????t????p????????????????b??p??????????????????SeChangeNotifyPrivilege?SeCreateGlobalPrivilege??????p?p?p?p?p?p?p?p?p?p?p?p?p??????????????????????????? ???????p???????????o?2????????0???????????????2???????????????????????????? ???????p?????p???????9?????????????????e?????p?????p??? ???????p?????????????9????????????????????? ???????p?????p?????m? Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ???p?p??localSystem?????6to4mp.ndi???????e??????????????t????????p??????????? ???????n???????????p????????$?p?_??????t????J??p?????????e????@%systemroot%\system32\eapsvc.dll,-1??????Z??p????????h?????%SystemRoot%\System32\svchost.exe -k netsvcs??????J??p?????????n????@%systemroot%\system32\eapsvc.dll,-2????? ???p??????????????????????????????????????????????t????????p?????????????????????????????? ????????????????p???????????e??RPCSS?KeyIso??????,???????????????????????????????????????p??p??????????????????SeTcbPrivilege?SeDebugPrivilege?SeImpersonatePrivilege???????p?p?p?p?p?p?p?p?p?p?p??????????? ???????p?????p?????????????????????????s??? ???????p?????p?????p?????????????????1???????p????? ???????p?????p?????????? ????????????4???????p????? ???????p?????p????????????????????????2??????p????? ???????p???????????p????????0?T?????1??????p????????????????:??p??????????????Windows Connect Now EAP Peer????? ?????????????????????p1????????????????????????????????????????????????????p?p?p???p????????????????????? ---- EOF - GMER 2.1 ----