GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-19 14:37:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500413AS rev.JC49 465.76GB Running: 9q9cnt72.exe; Driver: C:\Users\Randles\AppData\Local\Temp\pwtiqfob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075eb5181 5 bytes JMP 00000001000d1014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075eb5254 5 bytes JMP 00000001000d0804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075eb53d5 5 bytes JMP 00000001000d0a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075eb54c2 5 bytes JMP 00000001000d0c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075eb55e2 5 bytes JMP 00000001000d0e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075eb567c 5 bytes JMP 00000001000d01f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075eb589f 5 bytes JMP 00000001000d03fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075eb5a22 5 bytes JMP 00000001000d0600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007638ee09 5 bytes JMP 0000000100a801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076393982 5 bytes JMP 0000000100a803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076397603 5 bytes JMP 0000000100a80804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007639835c 5 bytes JMP 0000000100a80600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000763af52b 5 bytes JMP 0000000100a80a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000759e1465 2 bytes [9E, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759e14bb 2 bytes [9E, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 00000001001c163c .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\system32\svchost.exe[3004] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 000000010023075c .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001002303a4 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 0000000100230b14 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 0000000100230ecc .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 000000010023163c .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 0000000100231284 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001002319f4 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\System32\WUDFHost.exe[2248] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 00000001001c075c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 00000001001c163c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6fac0 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb58 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 5 bytes JMP 00000001000c0c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70038 5 bytes JMP 00000001000c0a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71920 5 bytes JMP 00000001000c0e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c4dd 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007638ee09 5 bytes JMP 00000001001901f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076393982 5 bytes JMP 00000001001903fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076397603 5 bytes JMP 0000000100190804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007639835c 5 bytes JMP 0000000100190600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000763af52b 5 bytes JMP 0000000100190a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075eb5181 5 bytes JMP 00000001001a1014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075eb5254 5 bytes JMP 00000001001a0804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075eb53d5 5 bytes JMP 00000001001a0a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075eb54c2 5 bytes JMP 00000001001a0c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075eb55e2 5 bytes JMP 00000001001a0e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075eb567c 5 bytes JMP 00000001001a01f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075eb589f 5 bytes JMP 00000001001a03fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2968] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075eb5a22 5 bytes JMP 00000001001a0600 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 000000010039075c .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001003903a4 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 0000000100390b14 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 0000000100390ecc .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 000000010039163c .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 0000000100391284 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001003919f4 .text C:\Windows\Explorer.EXE[3028] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075eb5181 5 bytes JMP 00000001003b1014 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075eb5254 5 bytes JMP 00000001003b0804 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075eb53d5 5 bytes JMP 00000001003b0a08 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075eb54c2 5 bytes JMP 00000001003b0c0c .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075eb55e2 5 bytes JMP 00000001003b0e10 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075eb567c 5 bytes JMP 00000001003b01f8 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075eb589f 5 bytes JMP 00000001003b03fc .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075eb5a22 5 bytes JMP 00000001003b0600 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007638ee09 5 bytes JMP 00000001003c01f8 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076393982 5 bytes JMP 00000001003c03fc .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076397603 5 bytes JMP 00000001003c0804 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007639835c 5 bytes JMP 00000001003c0600 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000763af52b 5 bytes JMP 00000001003c0a08 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000759e1465 2 bytes [9E, 75] .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759e14bb 2 bytes [9E, 75] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3248] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 000000010039075c .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001003903a4 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 0000000100390b14 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 0000000100390ecc .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 000000010039163c .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 0000000100391284 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001003919f4 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\system32\SearchIndexer.exe[3892] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3960] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 000000010036075c .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001003603a4 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 0000000100360b14 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 0000000100360ecc .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 000000010036163c .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 0000000100361284 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001003619f4 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\System32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893b10 5 bytes JMP 000000010029075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897ac0 5 bytes JMP 00000001002903a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1430 5 bytes JMP 0000000100290b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c1490 5 bytes JMP 0000000100290ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c1570 5 bytes JMP 000000010029163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c17b0 5 bytes JMP 0000000100291284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778c27e0 5 bytes JMP 00000001002919f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe326e00 5 bytes JMP 000007ff7e341dac .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe326f2c 5 bytes JMP 000007ff7e340ecc .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe327220 5 bytes JMP 000007ff7e341284 .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe32739c 5 bytes JMP 000007ff7e34163c .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe327538 5 bytes JMP 000007ff7e3419f4 .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3275e8 5 bytes JMP 000007ff7e3403a4 .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe32790c 5 bytes JMP 000007ff7e34075c .text C:\Windows\System32\svchost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe327ab4 5 bytes JMP 000007ff7e340b14 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6fac0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb58 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fcb0 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70038 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a71920 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c4dd 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91287 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007638ee09 5 bytes JMP 00000001000901f8 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076393982 5 bytes JMP 00000001000903fc .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076397603 5 bytes JMP 0000000100090804 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007639835c 5 bytes JMP 0000000100090600 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000763af52b 5 bytes JMP 0000000100090a08 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075eb5181 5 bytes JMP 00000001000a1014 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075eb5254 5 bytes JMP 00000001000a0804 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075eb53d5 5 bytes JMP 00000001000a0a08 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075eb54c2 5 bytes JMP 00000001000a0c0c .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075eb55e2 5 bytes JMP 00000001000a0e10 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075eb567c 5 bytes JMP 00000001000a01f8 .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075eb589f 5 bytes JMP 00000001000a03fc .text C:\Windows\SysWOW64\ctfmon.exe[5104] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075eb5a22 5 bytes JMP 00000001000a0600 .text C:\Windows\system32\AUDIODG.EXE[3356] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Users\Randles\Desktop\9q9cnt72.exe[4840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a8a2ba 1 byte [62] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 35 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 259314 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 3 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 35 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 259314 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall ---- EOF - GMER 2.1 ----