GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-21 13:15:56 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST310005 rev.HP35 931.51GB Running: jr9jd7g3.exe; Driver: C:\Users\Danny\AppData\Local\Temp\kgtiapog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756e1401 2 bytes JMP 76a5eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756e1419 2 bytes JMP 76a6b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756e1431 2 bytes JMP 76ae8609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756e144a 2 bytes CALL 76a41dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756e14dd 2 bytes JMP 76ae7efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756e14f5 2 bytes JMP 76ae80d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756e150d 2 bytes JMP 76ae7df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756e1525 2 bytes JMP 76ae81c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756e153d 2 bytes JMP 76a5f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756e1555 2 bytes JMP 76a6b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756e156d 2 bytes JMP 76ae86c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756e1585 2 bytes JMP 76ae8222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756e159d 2 bytes JMP 76ae7db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756e15b5 2 bytes JMP 76a5f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756e15cd 2 bytes JMP 76a6b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756e16b2 2 bytes JMP 76ae8584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756e16bd 2 bytes JMP 76ae7d4d C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756e1401 2 bytes JMP 76a5eb26 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756e1419 2 bytes JMP 76a6b513 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756e1431 2 bytes JMP 76ae8609 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756e144a 2 bytes CALL 76a41dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756e14dd 2 bytes JMP 76ae7efe C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756e14f5 2 bytes JMP 76ae80d8 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756e150d 2 bytes JMP 76ae7df4 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756e1525 2 bytes JMP 76ae81c2 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756e153d 2 bytes JMP 76a5f088 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756e1555 2 bytes JMP 76a6b885 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756e156d 2 bytes JMP 76ae86c1 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756e1585 2 bytes JMP 76ae8222 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756e159d 2 bytes JMP 76ae7db8 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756e15b5 2 bytes JMP 76a5f121 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756e15cd 2 bytes JMP 76a6b29f C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756e16b2 2 bytes JMP 76ae8584 C:\Windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756e16bd 2 bytes JMP 76ae7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756e1401 2 bytes JMP 76a5eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756e1419 2 bytes JMP 76a6b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756e1431 2 bytes JMP 76ae8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756e144a 2 bytes CALL 76a41dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756e14dd 2 bytes JMP 76ae7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756e14f5 2 bytes JMP 76ae80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756e150d 2 bytes JMP 76ae7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756e1525 2 bytes JMP 76ae81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756e153d 2 bytes JMP 76a5f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756e1555 2 bytes JMP 76a6b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756e156d 2 bytes JMP 76ae86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756e1585 2 bytes JMP 76ae8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756e159d 2 bytes JMP 76ae7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756e15b5 2 bytes JMP 76a5f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756e15cd 2 bytes JMP 76a6b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756e16b2 2 bytes JMP 76ae8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756e16bd 2 bytes JMP 76ae7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756e1401 2 bytes JMP 76a5eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756e1419 2 bytes JMP 76a6b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756e1431 2 bytes JMP 76ae8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756e144a 2 bytes CALL 76a41dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756e14dd 2 bytes JMP 76ae7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756e14f5 2 bytes JMP 76ae80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756e150d 2 bytes JMP 76ae7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756e1525 2 bytes JMP 76ae81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756e153d 2 bytes JMP 76a5f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756e1555 2 bytes JMP 76a6b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756e156d 2 bytes JMP 76ae86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756e1585 2 bytes JMP 76ae8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756e159d 2 bytes JMP 76ae7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756e15b5 2 bytes JMP 76a5f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756e15cd 2 bytes JMP 76a6b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756e16b2 2 bytes JMP 76ae8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756e16bd 2 bytes JMP 76ae7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076a6b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756e1401 2 bytes JMP 76a5eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756e1419 2 bytes JMP 76a6b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756e1431 2 bytes JMP 76ae8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756e144a 2 bytes CALL 76a41dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756e14dd 2 bytes JMP 76ae7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756e14f5 2 bytes JMP 76ae80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756e150d 2 bytes JMP 76ae7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756e1525 2 bytes JMP 76ae81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756e153d 2 bytes JMP 76a5f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756e1555 2 bytes JMP 76a6b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756e156d 2 bytes JMP 76ae86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756e1585 2 bytes JMP 76ae8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756e159d 2 bytes JMP 76ae7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756e15b5 2 bytes JMP 76a5f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756e15cd 2 bytes JMP 76a6b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756e16b2 2 bytes JMP 76ae8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756e16bd 2 bytes JMP 76ae7d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d2fd0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e4a20 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077600030 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077600090 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077600170 5 bytes JMP 00000001001c163c .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776003b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776013e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774ef1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb46e00 5 bytes JMP 000007ff7db61dac .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb46f2c 5 bytes JMP 000007ff7db60ecc .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb47220 5 bytes JMP 000007ff7db61284 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb4739c 5 bytes JMP 000007ff7db6163c .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb47538 5 bytes JMP 000007ff7db619f4 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb475e8 5 bytes JMP 000007ff7db603a4 .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb4790c 5 bytes JMP 000007ff7db6075c .text C:\Windows\system32\svchost.exe[6296] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb47ab4 5 bytes JMP 000007ff7db60b14 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777afa60 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777afaf8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afc50 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777affd8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777b18c0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777cc0a2 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1067 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076a6b0c5 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007570f0e6 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075713907 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075718364 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757206b3 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075730efc 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b35181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b35254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b353d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b354c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b355e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b3567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b3589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b35a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000756e1401 2 bytes JMP 76a5eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000756e1419 2 bytes JMP 76a6b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000756e1431 2 bytes JMP 76ae8609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000756e144a 2 bytes CALL 76a41dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756e14dd 2 bytes JMP 76ae7efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756e14f5 2 bytes JMP 76ae80d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000756e150d 2 bytes JMP 76ae7df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000756e1525 2 bytes JMP 76ae81c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000756e153d 2 bytes JMP 76a5f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000756e1555 2 bytes JMP 76a6b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000756e156d 2 bytes JMP 76ae86c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000756e1585 2 bytes JMP 76ae8222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000756e159d 2 bytes JMP 76ae7db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756e15b5 2 bytes JMP 76a5f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756e15cd 2 bytes JMP 76a6b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756e16b2 2 bytes JMP 76ae8584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756e16bd 2 bytes JMP 76ae7d4d C:\Windows\syswow64\KERNEL32.dll ? C:\Windows\system32\mssprxy.dll [5604] entry point in ".rdata" section 000000006e5771e6 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777afa60 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777afaf8 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afc50 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777affd8 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777b18c0 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777cc0a2 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1067 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076a6b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b35181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b35254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b353d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b354c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b355e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b3567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b3589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b35a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007570f0e6 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075713907 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075718364 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757206b3 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[6632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075730efc 5 bytes JMP 00000001000c0a08 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777afa60 5 bytes JMP 0000000100180600 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777afaf8 5 bytes JMP 0000000100180804 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afc50 5 bytes JMP 0000000100180c0c .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777affd8 5 bytes JMP 0000000100180a08 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777b18c0 5 bytes JMP 0000000100180e10 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777cc0a2 5 bytes JMP 00000001001801f8 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1067 5 bytes JMP 00000001001803fc .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076a6b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007570f0e6 5 bytes JMP 00000001001b01f8 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075713907 5 bytes JMP 00000001001b03fc .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075718364 5 bytes JMP 00000001001b0600 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757206b3 5 bytes JMP 00000001001b0804 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075730efc 5 bytes JMP 00000001001b0a08 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b35181 5 bytes JMP 00000001001c1014 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b35254 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b353d5 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b354c2 5 bytes JMP 00000001001c0c0c .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b355e2 5 bytes JMP 00000001001c0e10 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b3567c 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b3589f 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe[6320] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b35a22 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777afa60 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777afaf8 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afc50 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777affd8 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777b18c0 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777cc0a2 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1067 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076a6b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b35181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b35254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b353d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b354c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b355e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b3567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b3589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b35a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007570f0e6 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075713907 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075718364 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757206b3 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe[6944] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075730efc 5 bytes JMP 00000001000b0a08 .text C:\Users\Danny\Downloads\jr9jd7g3.exe[2340] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076a6b0c5 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef919741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef9195f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef9195674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef9195e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef9197f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef9196a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef9196ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef9197b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef9197ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef91978b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef9194fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef9195d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1840] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef9197584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Windows\Explorer.EXE[2648] @ C:\Windows\System32\Actioncenter.dll[SHELL32.dll!Shell_NotifyIconW] [2452190] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memcpy] [8b4820ec83485708] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_amsg_exit] [85486575ffc78308] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!free] [6366058d486074c9] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_initterm] [58d480189480000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!malloc] [1041894800006374] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_XcptFilter] [4800006381058d48] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memmove] [6396058d48184189] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memset] [8d48204189480000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlCaptureContext] [c9854840498b4828] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlLookupFunctionEntry] [8000b841d2330e74] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlVirtualUnwind] [5f4815ff0000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!Sleep] [8d4820ec83485340] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!TerminateProcess] [bd15ff000064330d] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetSystemTimeAsFileTime] [8548d88b48000060] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentProcessId] [38244c8d4c6374c0] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentThreadId] [4100008fd9158d48] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetTickCount] [c88b4800000003b8] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!QueryPerformanceCounter] [c085000061d215ff] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateThread] [4c3824548b484478] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CancelIo] [48c933454024448d] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateIoCompletionPort] [62c815ffcb8b] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DeviceIoControl] [244c8b482a78c085] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!PostQueuedCompletionStatus] [8d4c30244c8d4c40] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DefineDosDeviceA] [63ee158d48482444] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!SetUnhandledExceptionFilter] [8500005acde80000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!UnhandledExceptionFilter] [4824448b480b74c0] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!WaitForSingleObject] [c03302eb0a40b70f] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!SetEvent] [ccccc35b20c48348] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateEventA] [245c8948c3c03300] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!LocalAlloc] [fd158d48d98b48f8] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CloseHandle] [5a39e8ce8b4800] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!LocalFree] [158d482474c08500] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateFileA] [10b841000064f4] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetQueuedCompletionStatus] [5a20e8ce8b480000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!WideCharToMultiByte] [83480b74c0850000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DisableThreadLibraryCalls] [eb80004002b80027] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!MultiByteToWideChar] [30245c8b48c03301] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!lstrlenW] [c483483824748b48] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetLastError] [1b8ccc35f20] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentProcess] [c0ff0841c10ff000] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[rtutils.dll!TraceRegisterExA] [5c8b48c78b00005e] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[rtutils.dll!TraceVprintfExA] [c35f20c483483024] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\kmddsp.tsp[rtutils.dll!TraceDeregisterA] [6c894808245c8948] IAT C:\Windows\system32\svchost.exe[6296] @ C:\Windows\system32\mshtml.dll[USER32.dll!GetCursorPos] [f2194] C:\Windows\system32\kmddsp.tsp ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [584:6012] 00000000001c1de4 Thread C:\Windows\system32\services.exe [584:3116] 00000000001e2804 Thread C:\Windows\system32\services.exe [584:3020] 00000000001e2fe8 Thread C:\Windows\system32\services.exe [584:676] 00000000001e2fe8 Thread C:\Windows\system32\services.exe [584:3732] 00000000001e2fe8 Thread C:\Windows\system32\services.exe [584:3204] 00000000001e2fe8 Thread C:\Windows\system32\services.exe [584:4784] 00000000001f17e8 Thread C:\Windows\system32\services.exe [584:5856] 0000000000201390 Thread C:\Windows\system32\services.exe [584:380] 0000000000201238 Thread C:\Windows\Explorer.EXE [2648:4676] 0000000002451de4 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\System32\Drivers\aswrdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\ Reg HKLM\SYSTEM\CurrentControlSet\services\@Parameters\0\x202e\x2764 388 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui 35328 bytes executable File C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui 15360 bytes executable File C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui 46592 bytes executable File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6FRS3SAL\on[1].js 3919 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WG6NQ6UL\UlIqmHJn-SK[1].gif 390 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WG6NQ6UL\xd_arbiter[1].php 26682 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WG6NQ6UL\yKVDNYHSXTA[1].css 56970 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WG6NQ6UL\GOSSIP-Footer[1].js 520 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WG6NQ6UL\CAF4FNR1.HTM 0 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZG4THF3I\GOSSIP-Header[1].js 2229 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZG4THF3I\front[1].asp 12656 bytes File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@intellitxt[1].txt 127 bytes File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[2].txt 1352 bytes File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@openx[2].txt 504 bytes File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ox-d.bluefinmedianetwork[2].txt 138 bytes File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ox-d.gossipcenter[1].txt 125 bytes File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@w55c[2].txt 111 bytes ---- EOF - GMER 2.1 ----