GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-11 01:04:42 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB Running: 6ju9prz5.exe; Driver: C:\Users\Jacek\AppData\Local\Temp\ugloypow.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3520] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[3608] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3816] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\WUDFHost.exe[3964] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fc9590 5 bytes JMP 0000000072e83120 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fc96f8 5 bytes JMP 0000000072e824a0 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fc98a8 5 bytes JMP 0000000072e82330 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fc9938 5 bytes JMP 0000000072e828e0 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076fc99f8 5 bytes JMP 0000000072e82790 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076fc9ae8 5 bytes JMP 0000000072e82660 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fca208 5 bytes JMP 0000000072e82a20 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076fca2c8 5 bytes JMP 0000000072e82cb0 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076fca370 5 bytes JMP 0000000072e82f40 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076fca9f8 5 bytes JMP 0000000072e82b70 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076fcaa70 5 bytes JMP 0000000072e82e00 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077016fc1 5 bytes JMP 0000000072e82fd0 .text C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe[4416] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077018a56 5 bytes JMP 0000000072e830c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4564] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4872] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4960] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fc9590 5 bytes JMP 0000000072e83120 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fc96f8 5 bytes JMP 0000000072e824a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fc98a8 5 bytes JMP 0000000072e82330 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fc9938 5 bytes JMP 0000000072e828e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076fc99f8 5 bytes JMP 0000000072e82790 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076fc9ae8 5 bytes JMP 0000000072e82660 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fca208 5 bytes JMP 0000000072e82a20 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076fca2c8 5 bytes JMP 0000000072e82cb0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076fca370 5 bytes JMP 0000000072e82f40 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076fca9f8 5 bytes JMP 0000000072e82b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076fcaa70 5 bytes JMP 0000000072e82e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077016fc1 5 bytes JMP 0000000072e82fd0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5096] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077018a56 5 bytes JMP 0000000072e830c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2848] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[4184] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[3288] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3224] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\mobsync.exe[3140] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wuauclt.exe[3068] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\NOTEPAD.EXE[1376] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Opera x64\opera.exe[2840] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\charmap.exe[2364] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076de7030 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtQueryInformationProcess 0000000076e07000 5 bytes JMP 0000000000020678 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 0000000076e070f0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 0000000076e07210 5 bytes JMP 0000000000020018 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtOpenEvent 0000000076e07270 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtCreateEvent 0000000076e072f0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtResumeThread 0000000076e07390 5 bytes JMP 0000000000020128 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtCreateMutant 0000000076e07850 5 bytes JMP 0000000000020238 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 0000000076e078d0 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 0000000076e07940 5 bytes JMP 0000000000020348 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtOpenMutant 0000000076e07da0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 0000000076e07df0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\NOTEPAD.EXE[1128] C:\Windows\system32\ntdll.dll!RtlDecompressBuffer 0000000076e53870 5 bytes JMP 0000000000020568 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fc9590 5 bytes JMP 0000000072e83120 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fc96f8 5 bytes JMP 0000000072e824a0 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fc98a8 5 bytes JMP 0000000072e82330 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fc9938 5 bytes JMP 0000000072e828e0 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076fc99f8 5 bytes JMP 0000000072e82790 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076fc9ae8 5 bytes JMP 0000000072e82660 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076fca208 5 bytes JMP 0000000072e82a20 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076fca2c8 5 bytes JMP 0000000072e82cb0 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076fca370 5 bytes JMP 0000000072e82f40 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076fca9f8 5 bytes JMP 0000000072e82b70 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076fcaa70 5 bytes JMP 0000000072e82e00 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077016fc1 5 bytes JMP 0000000072e82fd0 .text C:\Users\Jacek\Downloads\6ju9prz5.exe[6000] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077018a56 5 bytes JMP 0000000072e830c0 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [fffffa60008deda8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffffa60008dee94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffffa60008dec38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffffa60008df614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffffa60008dfa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffffa60008df86c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8004f83470] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8007ebe470] [unknown section] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IofCallDriver] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoRegisterBootDriverReinitialization] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeInitializeEvent] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoInitializeTimer] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!PsGetCurrentProcess] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoStartTimer] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmLockPagableDataSection] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeAcquireSpinLockRaiseToDpc] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoAcquireRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeReleaseSpinLock] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoReleaseRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoStopTimer] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoQueueWorkItem] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeSetEvent] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeDelayExecutionThread] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoReuseIrp] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!PsCreateSystemThread] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!srand] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!rand] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ObfDereferenceObject] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoInitializeRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!InitializeSListHead] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExInitializeNPagedLookasideList] [fb33345e8941db33] [unknown section] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoAllocateWorkItem] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeWaitForSingleObject] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwEnumerateKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwOpenKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!RtlQueryRegistryValues] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwClose] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!wcsncmp] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!wcschr] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwEnumerateValueKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwDeleteValueKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwDeleteKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwCreateKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!RtlWriteRegistryValue] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExDeleteNPagedLookasideList] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoCancelIrp] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!PsTerminateSystemThread] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExpInterlockedPushEntrySList] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExpInterlockedPopEntrySList] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoAllocateIrp] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoFreeIrp] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoFreeMdl] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoFreeWorkItem] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] [f733fb33545e8941] [unknown section] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwQueryValueKey] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoGetDeviceObjectPointer] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!_wcsnicmp] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!_vsnwprintf] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoAllocateMdl] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExQueryDepthSList] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExAcquireFastMutex] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExReleaseFastMutex] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!_itoa] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!_vsnprintf] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeQueryTimeIncrement] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoBuildPartialMdl] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmUnmapLockedPages] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ObfReferenceObject] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoGetRelatedDeviceObject] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoGetDeviceInterfaces] [fb33705e8945db33] [unknown section] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoGetDeviceProperty] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ZwQuerySystemInformation] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmMapIoSpace] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeBugCheckEx] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!RtlUnicodeStringToAnsiString] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!atoi] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoWMIRegistrationControl] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!MmGetSystemRoutineAddress] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!RtlCompareMemory] [f28341d133450000] [unknown section] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExFreePoolWithTag] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!IoWMIWriteEvent] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!KeSetBasePriorityThread] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[ntoskrnl.exe!RtlInitUnicodeString] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[storport.sys!StorPortPauseDevice] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[storport.sys!StorPortResumeDevice] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[storport.sys!StorPortNotification] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[storport.sys!StorPortInitialize] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[TDI.SYS!TdiRegisterPnPHandlers] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[TDI.SYS!TdiDeregisterPnPHandlers] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[NETIO.SYS!WskDeregister] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[NETIO.SYS!WskReleaseProviderNPI] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[NETIO.SYS!WskRegister] [?] IAT C:\Windows\System32\Drivers\a5t6qt57.SYS[NETIO.SYS!WskCaptureProviderNPI] [?] IAT C:\Windows\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8007ee0470] [unknown section] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef2a72750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef2a72b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef2a77de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef2a78130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef2a71908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef2a71c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef2a781d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef2a72878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef2a77a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef2a76c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef2a777bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef2a77064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef2a76544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3736] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef2a75e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.2 ---- Device \Driver\a5t6qt57 \Device\Scsi\a5t6qt571 fffffa8007ee22c0 Device \FileSystem\Ntfs \Ntfs fffffa8003f612c0 Device \FileSystem\fastfat \Fat fffffa800900d2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8007fd42c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa800808b2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8007fd42c0 Device \Driver\USBSTOR \Device\00000074 fffffa8008c6e2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa800808b2c0 Device \Driver\iScsiPrt \Device\RaidPort0 fffffa80080422c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007ed02c0 Device \Driver\netbt \Device\NetBT_Tcpip_{10486077-C967-40DF-B8F0-97864DCA1256} fffffa8008b112c0 Device \Driver\netbt \Device\NetBT_Tcpip_{88726641-6C9F-43D6-A1EA-D8B41DDD1F1A} fffffa8008b112c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa800808b2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa800808b2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa800808b2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa800808b2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8007fcb2c0 Device \Driver\USBSTOR \Device\0000008c fffffa8008c6e2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8007fd42c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa800808b2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8007fd42c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa800808b2c0 Device \Driver\netbt \Device\NetBt_Wins_Export fffffa8008b112c0 Device \Driver\USBSTOR \Device\0000008d fffffa8008c6e2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa800808b2c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa800808b2c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa800808b2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa800808b2c0 Device \Driver\USBSTOR \Device\00000073 fffffa8008c6e2c0 Device \Driver\iScsiPrt \Device\ScsiPort1 fffffa80080422c0 Device \Driver\a5t6qt57 \Device\ScsiPort2 fffffa8007ee22c0 Device \Driver\Smb \Device\NetbiosSmb fffffa8008af82c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\a5t6qt57.SYS (Microsoft iSCSI Initiator Driver/Microsoft Corporation)(2013-03-29 20:39:43) fffffa60034fb000-fffffa600354c000 (331776 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\wininit.exe [372:4164] 000007fefe4663b0 Thread C:\Windows\System32\svchost.exe [1320:2680] 000007fef4fc1754 Thread C:\Windows\System32\svchost.exe [1320:2852] 000007fef4fc1bf4 Thread C:\Windows\System32\svchost.exe [1320:2540] 000007fef4fc1d5c Thread C:\Windows\System32\svchost.exe [1320:3000] 000007fef4fc1d5c Thread C:\Windows\System32\svchost.exe [1320:3016] 000007fef4fc1d5c Thread C:\Windows\System32\svchost.exe [1320:2532] 000007fef58c4c84 Thread C:\Windows\System32\svchost.exe [1320:3776] 0000000072df3d54 Thread C:\Windows\System32\svchost.exe [1320:3296] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3300] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3332] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3352] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3324] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3304] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:1908] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:1748] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3328] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:3416] 000007fef65f8a4c Thread C:\Windows\System32\svchost.exe [1320:4280] 000007feeeb59bec Thread C:\Windows\System32\svchost.exe [1320:4284] 000007feeeb5c3fc Thread C:\Windows\System32\svchost.exe [1320:4784] 000007fef2af62d0 Thread C:\Windows\System32\svchost.exe [1320:3196] 000007fef5875c54 Thread C:\Windows\system32\svchost.exe [1620:3388] 000007fef552588c Thread C:\Windows\system32\svchost.exe [1620:3556] 000007fef29f1010 Thread C:\Windows\system32\svchost.exe [1620:3560] 000007fef29f1010 Thread C:\Windows\system32\svchost.exe [1620:3564] 000007fef29f1010 Thread C:\Windows\system32\svchost.exe [1620:3568] 000007fef29f1010 Thread C:\Windows\system32\svchost.exe [1620:3584] 000007fef28d7d3c Thread C:\Windows\system32\svchost.exe [1620:3996] 000007feefae3dec Thread C:\Windows\system32\svchost.exe [1620:4000] 000007fef35b1520 Thread C:\Windows\system32\svchost.exe [1620:4004] 000007fef2b95354 Thread C:\Windows\system32\svchost.exe [1620:4028] 000007fef2a57624 Thread C:\Windows\system32\svchost.exe [1620:4032] 000007fef2952084 Thread C:\Windows\system32\svchost.exe [1620:4864] 000007fef6015000 Thread C:\Windows\system32\svchost.exe [1620:2032] 000007feeca476a0 Thread C:\Windows\System32\spoolsv.exe [1988:2344] 000007fef93413dc Thread C:\Windows\System32\spoolsv.exe [1988:2352] 000007fef93412ac Thread C:\Windows\System32\spoolsv.exe [1988:2360] 000007fef8b31c00 Thread C:\Windows\System32\spoolsv.exe [1988:2372] 000007fef8ae38a0 Thread C:\Windows\System32\spoolsv.exe [1988:2380] 000007fef709bd78 Thread C:\Windows\System32\spoolsv.exe [1988:2388] 000007fef709c4f8 Thread C:\Windows\System32\spoolsv.exe [1988:2392] 000007fef70a6844 Thread C:\Windows\System32\spoolsv.exe [1988:2456] 000007fef8c8a704 Thread C:\Windows\system32\svchost.exe [2012:2288] 000007fef5bc7ef4 Thread C:\Windows\system32\svchost.exe [2012:2308] 000007fef5bbe984 Thread C:\Windows\system32\svchost.exe [2012:2268] 000007fef5bbe984 Thread C:\Windows\system32\svchost.exe [2012:2264] 000007fef5bbe984 Thread C:\Windows\system32\svchost.exe [2012:2260] 000007fef5bbe984 Thread C:\Windows\system32\svchost.exe [2012:2404] 000007fef5bbe984 Thread C:\Windows\system32\svchost.exe [2012:5728] 000007fef5bccab8 Thread C:\Windows\system32\svchost.exe [2012:5300] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:1716] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:3944] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:5380] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:5996] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:3780] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:3908] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:5632] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:3456] 000007fef65f8a4c Thread C:\Windows\system32\svchost.exe [2012:1872] 000007fef65f8a4c Thread C:\Windows\system32\Dwm.exe [2184:2284] 000007fef938c2ac Thread C:\Windows\system32\svchost.exe [3520:3604] 000007fef709bd78 Thread C:\Windows\system32\svchost.exe [3520:3616] 000007fef709c4f8 Thread C:\Windows\system32\svchost.exe [3520:3620] 000007fef70a6844 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4960:5060] 000007fefa2eb8a8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4960:4320] 000007fef6015000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x78 0x2B 0xD2 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB9 0x42 0xA0 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0x39 0xFA 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x56 0xB9 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x13 0x75 0x9D 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4D 0xAD 0x34 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{f27f90d0-1351-47c9-a6a6-130d6913671d}@Dhcpv6State 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7A 0x5D 0xD4 0x64 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB9 0x42 0xA0 0x56 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0x39 0xFA 0xE6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x56 0xB9 0xF1 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x13 0x75 0x9D 0x39 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4D 0xAD 0x34 0xD6 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----