GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-01 22:05:26 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: gmer.exe; Driver: C:\Users\Ireneusz\AppData\Local\Temp\awddapob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\Explorer.EXE[1472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[1724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007730b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007730b0c5 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1244] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010011075c .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001001103a4 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100110b14 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100110ecc .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010011163c .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100111284 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001001119f4 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\system32\SearchIndexer.exe[2648] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 00000001001c163c .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\system32\svchost.exe[2792] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010013075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001001303a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100130b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100130ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010013163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100131284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001001319f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1992] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 00000001001c163c .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010039075c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001003903a4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100390b14 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100390ecc .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010039163c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100391284 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001003919f4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3224] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 00000001002b075c .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001002b03a4 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 00000001002b0b14 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 00000001002b0ecc .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 00000001002b163c .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 00000001002b1284 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001002b19f4 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\System32\svchost.exe[3696] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 00000001002d075c .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001002d03a4 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 00000001002d0b14 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 00000001002d0ecc .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 00000001002d163c .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 00000001002d1284 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001002d19f4 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\System32\svchost.exe[1968] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010016075c .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010016163c .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100161284 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001001619f4 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\system32\wuauclt.exe[776] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010038075c .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001003803a4 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100380b14 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100380ecc .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010038163c .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100381284 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001003819f4 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\system32\AUDIODG.EXE[3728] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\system32\sppsvc.exe[2852] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a9fa60 5 bytes JMP 0000000100030600 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a9faf8 5 bytes JMP 0000000100030804 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a9fc50 5 bytes JMP 0000000100030c0c .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a9ffd8 5 bytes JMP 0000000100030a08 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077aa18c0 5 bytes JMP 0000000100030e10 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077abc0a2 5 bytes JMP 00000001000301f8 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ac1067 5 bytes JMP 00000001000303fc .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007730b0c5 1 byte [62] .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\user32.DLL!SetWinEventHook 000000007569f0e6 5 bytes JMP 00000001002501f8 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 00000000756a3907 5 bytes JMP 00000001002503fc .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 00000000756a8364 5 bytes JMP 0000000100250600 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 00000000756b06b3 5 bytes JMP 0000000100250804 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 00000000756c0efc 5 bytes JMP 0000000100250a08 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075c95181 5 bytes JMP 0000000100261014 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075c95254 5 bytes JMP 0000000100260804 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075c953d5 5 bytes JMP 0000000100260a08 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075c954c2 5 bytes JMP 0000000100260c0c .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075c955e2 5 bytes JMP 0000000100260e10 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075c9567c 5 bytes JMP 00000001002601f8 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075c9589f 5 bytes JMP 00000001002603fc .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075c95a22 5 bytes JMP 0000000100260600 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000075781401 2 bytes JMP 772feb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000075781419 2 bytes JMP 7730b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000075781431 2 bytes JMP 77388609 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007578144a 2 bytes CALL 772e1dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000757814dd 2 bytes JMP 77387efe C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000757814f5 2 bytes JMP 773880d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007578150d 2 bytes JMP 77387df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000075781525 2 bytes JMP 773881c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007578153d 2 bytes JMP 772ff088 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000075781555 2 bytes JMP 7730b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007578156d 2 bytes JMP 773886c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000075781585 2 bytes JMP 77388222 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007578159d 2 bytes JMP 77387db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000757815b5 2 bytes JMP 772ff121 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000757815cd 2 bytes JMP 7730b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000757816b2 2 bytes JMP 77388584 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ireneusz\Desktop\OTL.scr[3092] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000757816bd 2 bytes JMP 77387d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010045075c .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001004503a4 .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100450b14 .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100450ecc .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010045163c .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100451284 .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001004519f4 .text C:\Windows\notepad.exe[1860] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\notepad.exe[1860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778c2fd0 5 bytes JMP 000000010012075c .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778d4a20 5 bytes JMP 00000001001203a4 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778f0030 5 bytes JMP 0000000100120b14 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778f0090 5 bytes JMP 0000000100120ecc .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f0170 5 bytes JMP 000000010012163c .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778f03b0 5 bytes JMP 0000000100121284 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f13e0 5 bytes JMP 00000001001219f4 .text C:\Windows\notepad.exe[1048] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777df1bd 1 byte [62] .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefddb6e00 5 bytes JMP 000007ff7ddd1dac .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefddb6f2c 5 bytes JMP 000007ff7ddd0ecc .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefddb7220 5 bytes JMP 000007ff7ddd1284 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefddb739c 5 bytes JMP 000007ff7ddd163c .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefddb7538 5 bytes JMP 000007ff7ddd19f4 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefddb75e8 5 bytes JMP 000007ff7ddd03a4 .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefddb790c 5 bytes JMP 000007ff7ddd075c .text C:\Windows\notepad.exe[1048] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefddb7ab4 5 bytes JMP 000007ff7ddd0b14 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a9fa60 5 bytes JMP 0000000100030600 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a9faf8 5 bytes JMP 0000000100030804 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a9fc50 5 bytes JMP 0000000100030c0c .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a9ffd8 5 bytes JMP 0000000100030a08 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077aa18c0 5 bytes JMP 0000000100030e10 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077abc0a2 5 bytes JMP 00000001000301f8 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ac1067 5 bytes JMP 00000001000303fc .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007730b0c5 1 byte [62] .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075c95181 5 bytes JMP 00000001001d1014 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075c95254 5 bytes JMP 00000001001d0804 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075c953d5 5 bytes JMP 00000001001d0a08 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075c954c2 5 bytes JMP 00000001001d0c0c .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075c955e2 5 bytes JMP 00000001001d0e10 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075c9567c 5 bytes JMP 00000001001d01f8 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075c9589f 5 bytes JMP 00000001001d03fc .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075c95a22 5 bytes JMP 00000001001d0600 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007569f0e6 5 bytes JMP 00000001001e01f8 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000756a3907 5 bytes JMP 00000001001e03fc .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756a8364 5 bytes JMP 00000001001e0600 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b06b3 5 bytes JMP 00000001001e0804 .text C:\Users\Ireneusz\Desktop\Irek\gmer.exe[1708] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756c0efc 5 bytes JMP 00000001001e0a08 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fefc37741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fefc375f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fefc375674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fefc375e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fefc377f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fefc376a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fefc376ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fefc377b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fefc377ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fefc3778b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fefc374fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fefc375d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2092] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fefc377584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1992:1120] 000007fefe083570 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1992:3096] 000007fefbc12a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1992:3132] 000007fef445dc08 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1992:3852] 000007fef80b5124 Thread C:\Windows\System32\svchost.exe [1968:4044] 000007fef2759688 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\System32\Drivers\aswrdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 49 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 375549 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 49 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 375549 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----