GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-17 00:39:42 Windows 6.0.6001 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS543232L9A300 rev.FB4OC40C 298,09GB Running: 9h9uyg6w.exe; Driver: C:\Users\Maxi\AppData\Local\Temp\kwtdypod.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\system32\winlogon.exe[844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\System32\svchost.exe[704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\System32\svchost.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\system32\svchost.exe[1272] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\Explorer.EXE[2380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\svchost.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\svchost.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\svchost.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\svchost.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\svchost.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007632bb98 5 bytes JMP 00000001001a0a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007632be5d 5 bytes JMP 00000001001a0804 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000763310a0 5 bytes JMP 00000001001a0600 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000763462ee 5 bytes JMP 00000001001a01f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076346f22 5 bytes JMP 00000001001a03fc .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076365f87 5 bytes JMP 00000001750647c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075f238ff 5 bytes JMP 00000001001b03fc .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000075f23bee 3 bytes JMP 00000001001b0600 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!DeleteService + 4 0000000075f23bf2 1 byte [8A] .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 0000000075f666a9 5 bytes JMP 00000001001b1014 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000075f667a9 5 bytes JMP 00000001001b0804 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075f66951 5 bytes JMP 00000001001b0a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 0000000075f66a69 5 bytes JMP 00000001001b0c0c .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 0000000075f66bb1 5 bytes JMP 00000001001b0e10 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075f66c71 5 bytes JMP 00000001001b01f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\WSOCK32.dll!recv + 81 00000000756918a9 2 bytes [69, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 87 000000007569190e 2 bytes [69, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000756919f0 2 bytes [69, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3080] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000756919fb 2 bytes [69, 75] .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\ntdll.dll!LdrLoadDll 00000000774751f0 5 bytes JMP 00000001002e03a4 .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\ntdll.dll!LdrUnloadDll 0000000077478560 5 bytes JMP 00000001002e075c .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\ntdll.dll!NtAllocateVirtualMemory 0000000077495180 5 bytes JMP 00000001002e0b14 .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\ntdll.dll!NtFreeVirtualMemory 00000000774951e0 5 bytes JMP 00000001002e0ecc .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\ntdll.dll!NtTerminateProcess 00000000774952c0 5 bytes JMP 00000001002e163c .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\ntdll.dll!NtProtectVirtualMemory 0000000077495500 5 bytes JMP 00000001002e1284 .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 194 00000000772c4842 1 byte [62] .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe[4960] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe[4960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe[4248] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\Asc.exe[7116] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\Asc.exe[7116] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\Asc.exe[7116] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\Asc.exe[7116] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\Asc.exe[7116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\IObit\Advanced SystemCare 5\Asc.exe[7116] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007632bb98 5 bytes JMP 00000001001a0a08 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007632be5d 5 bytes JMP 00000001001a0804 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000763310a0 5 bytes JMP 00000001001a0600 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000763462ee 5 bytes JMP 00000001001a01f8 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076346f22 5 bytes JMP 00000001001a03fc .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076365f87 5 bytes JMP 00000001750647c0 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075f238ff 5 bytes JMP 00000001001b03fc .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000075f23bee 3 bytes JMP 00000001001b0600 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!DeleteService + 4 0000000075f23bf2 1 byte [8A] .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 0000000075f666a9 5 bytes JMP 00000001001b1014 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000075f667a9 5 bytes JMP 00000001001b0804 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075f66951 5 bytes JMP 00000001001b0a08 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 0000000075f66a69 5 bytes JMP 00000001001b0c0c .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 0000000075f66bb1 5 bytes JMP 00000001001b0e10 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075f66c71 5 bytes JMP 00000001001b01f8 .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\SysWOW64\WSOCK32.dll!recv + 81 00000000756918a9 2 bytes [69, 75] .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 87 000000007569190e 2 bytes [69, 75] .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000756919f0 2 bytes [69, 75] .text C:\Windows\SysWOW64\PnkBstrB.exe[6312] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000756919fb 2 bytes [69, 75] .text C:\Windows\system32\wbem\wmiprvse.exe[4196] C:\Windows\system32\ntdll.dll!LdrLoadDll 00000000774751f0 5 bytes JMP 00000001002d03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4196] C:\Windows\system32\ntdll.dll!LdrUnloadDll 0000000077478560 5 bytes JMP 00000001002d075c .text C:\Windows\system32\wbem\wmiprvse.exe[4196] C:\Windows\system32\ntdll.dll!NtAllocateVirtualMemory 0000000077495180 5 bytes JMP 00000001002d0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4196] C:\Windows\system32\ntdll.dll!NtFreeVirtualMemory 00000000774951e0 5 bytes JMP 00000001002d0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4196] C:\Windows\system32\ntdll.dll!NtTerminateProcess 00000000774952c0 5 bytes JMP 00000001002d163c .text C:\Windows\system32\wbem\wmiprvse.exe[4196] C:\Windows\system32\ntdll.dll!NtProtectVirtualMemory 0000000077495500 5 bytes JMP 00000001002d1284 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075f238ff 5 bytes JMP 00000001000703fc .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000075f23bee 5 bytes JMP 0000000100070600 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 0000000075f666a9 5 bytes JMP 0000000100071014 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000075f667a9 5 bytes JMP 0000000100070804 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075f66951 5 bytes JMP 0000000100070a08 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 0000000075f66a69 5 bytes JMP 0000000100070c0c .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 0000000075f66bb1 5 bytes JMP 0000000100070e10 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075f66c71 5 bytes JMP 00000001000701f8 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007632bb98 5 bytes JMP 0000000100080a08 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007632be5d 5 bytes JMP 0000000100080804 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000763310a0 5 bytes JMP 0000000100080600 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000763462ee 5 bytes JMP 00000001000801f8 .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076346f22 5 bytes JMP 00000001000803fc .text C:\Windows\SysWOW64\conime.exe[2296] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076365f87 5 bytes JMP 00000001750647c0 ? C:\Windows\system32\ShimEng.dll [2296] entry point in ".rdata" section 0000000072d47c74 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 000000007632bb98 5 bytes JMP 00000001001c0a08 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 000000007632be5d 5 bytes JMP 00000001001c0804 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000763310a0 5 bytes JMP 00000001001c0600 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000763462ee 5 bytes JMP 00000001001c01f8 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\user32.dll!UnhookWinEvent 0000000076346f22 5 bytes JMP 00000001001c03fc .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\user32.dll!DialogBoxParamW 0000000076365f87 5 bytes JMP 00000001750647c0 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075f238ff 5 bytes JMP 00000001001d03fc .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000075f23bee 5 bytes JMP 00000001001d0600 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 0000000075f666a9 5 bytes JMP 00000001001d1014 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000075f667a9 5 bytes JMP 00000001001d0804 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075f66951 5 bytes JMP 00000001001d0a08 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 0000000075f66a69 5 bytes JMP 00000001001d0c0c .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 0000000075f66bb1 5 bytes JMP 00000001001d0e10 .text C:\Users\Maxi\Downloads\OTL.exe[6424] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075f66c71 5 bytes JMP 00000001001d01f8 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077621a5f 5 bytes JMP 00000001000301f8 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077623259 5 bytes JMP 00000001000303fc .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077639478 5 bytes JMP 0000000100030600 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077639508 5 bytes JMP 0000000100030804 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077639658 5 bytes JMP 0000000100030c0c .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000776399b8 5 bytes JMP 0000000100030a08 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000075a63890 1 byte [62] .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075f238ff 5 bytes JMP 00000001001b03fc .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 0000000075f23bee 3 bytes JMP 00000001001b0600 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!DeleteService + 4 0000000075f23bf2 1 byte [8A] .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 0000000075f666a9 5 bytes JMP 00000001001b1014 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 0000000075f667a9 5 bytes JMP 00000001001b0804 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000075f66951 5 bytes JMP 00000001001b0a08 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 0000000075f66a69 5 bytes JMP 00000001001b0c0c .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 0000000075f66bb1 5 bytes JMP 00000001001b0e10 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075f66c71 5 bytes JMP 00000001001b01f8 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007632bb98 5 bytes JMP 00000001001c0a08 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 000000007632be5d 5 bytes JMP 00000001001c0804 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000763310a0 5 bytes JMP 00000001001c0600 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000763462ee 5 bytes JMP 00000001001c01f8 .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076346f22 5 bytes JMP 00000001001c03fc .text C:\Users\Maxi\Downloads\9h9uyg6w.exe[3880] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076365f87 5 bytes JMP 00000001750647c0 ---- Threads - GMER 2.0 ---- Thread C:\Windows\system32\wininit.exe [660:688] 000007feff5e1560 Thread C:\Windows\system32\nvvsvc.exe [1020:192] 000007fefec0db20 Thread C:\Windows\System32\svchost.exe [300:1384] 000007fefb6f2d14 Thread C:\Windows\System32\svchost.exe [300:3564] 000007fefb6f9ab4 Thread C:\Windows\System32\svchost.exe [712:1256] 000007fefbf1f848 Thread C:\Windows\System32\svchost.exe [712:1412] 000007fefbbb54f0 Thread C:\Windows\System32\svchost.exe [712:1528] 000007fefd9b2ed4 Thread C:\Windows\System32\svchost.exe [712:3596] 000007fef7985c54 Thread C:\Windows\System32\svchost.exe [712:2452] 000007fef73362d0 Thread C:\Windows\System32\svchost.exe [712:3684] 000007fef7b55000 Thread C:\Windows\system32\SLsvc.exe [1124:1172] 000007feff5e1560 Thread C:\Windows\system32\SLsvc.exe [1124:1196] 000007fefee26c64 Thread C:\Windows\system32\svchost.exe [1272:2904] 000007fef7b1587c Thread C:\Windows\system32\svchost.exe [1272:3464] 000007fef7447be4 Thread C:\Windows\system32\svchost.exe [1272:3412] 000007fef7b55000 Thread C:\Windows\system32\svchost.exe [1272:4696] 000007fef8e51010 Thread C:\Windows\system32\svchost.exe [1272:4700] 000007fef8e51010 Thread C:\Windows\system32\svchost.exe [1272:4780] 000007fefc393d7c Thread C:\Windows\system32\svchost.exe [1272:4804] 000007fefc361520 Thread C:\Windows\system32\svchost.exe [1272:4812] 000007fefc355354 Thread C:\Windows\system32\svchost.exe [1272:4816] 000007fefc337624 Thread C:\Windows\system32\svchost.exe [1272:4832] 000007fefc322084 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1552] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1556] 0000000075eed1b9 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1588] 0000000074a48d60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1648] 0000000074846fe0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1652] 0000000074846900 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1692] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:1084] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2104] 00000000776b7f3d Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2120] 000000007483c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2124] 000000007483c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2128] 000000007483c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2132] 000000007483d470 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2136] 000000007483ca80 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2140] 00000000748586a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2144] 0000000074857480 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2148] 0000000074857850 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2152] 000000007483e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2156] 000000007483e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2160] 000000007483e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2176] 00000000746912f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2180] 0000000074692c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2184] 0000000074692c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2396] 0000000074281070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2400] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2404] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2428] 0000000073df12f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2432] 0000000074241000 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2436] 0000000074847b60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2440] 000000007483e280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2444] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2448] 0000000074955400 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2476] 00000000742816a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2488] 0000000073ba6120 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2492] 0000000074241280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2540] 0000000074a44290 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2544] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2552] 0000000074a48650 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2588] 0000000074a528c0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2592] 0000000074a56680 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2596] 0000000074a49280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2608] 0000000074a50a60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2612] 0000000074d1345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2620] 0000000074a4b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2624] 0000000074a4b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2628] 0000000074a4b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2632] 0000000074a4b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2636] 0000000074a4b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2668] 00000000733c1670 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2672] 00000000733c1840 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2676] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2680] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2684] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2688] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2692] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2696] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2700] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2704] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2708] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2712] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2716] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:6496] 0000000077633f3d Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:4784] 00000000739b59da Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2356] 0000000074d132ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2568] 0000000075c31c50 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1508:2252] 0000000075c31c50 Thread C:\Windows\system32\nvvsvc.exe [1700:4456] 000000018002383c Thread C:\Windows\system32\nvvsvc.exe [1700:3924] 0000000001871b04 Thread C:\Windows\Explorer.EXE [2380:5088] 000007fefb031604 Thread C:\Windows\Explorer.EXE [2380:3844] 000007fefb152148 Thread C:\Windows\Explorer.EXE [2380:4420] 000007fef858785c Thread C:\Windows\Explorer.EXE [2380:3816] 000007fefc914298 Thread C:\Windows\Explorer.EXE [2380:3168] 000007fef8c25ce8 Thread C:\Windows\Explorer.EXE [2380:4272] 000007fef8c24460 Thread C:\Windows\Explorer.EXE [2380:1576] 000007fef837ae80 Thread C:\Windows\Explorer.EXE [2380:4712] 000007fefb556124 Thread C:\Windows\Explorer.EXE [2380:3432] 000007fefb4d1030 Thread C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe [2512:2640] 0000000073b549d9 Thread C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe [2512:2644] 0000000075c31c50 Thread C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe [2512:2732] 00000000732e4722 Thread C:\Windows\SysWOW64\ACEngSvr.exe [2336:512] 000007feff5e1560 Thread C:\Program Files (x86)\CenturyLink\QuickCare\bin\sprtsvc.exe [3276:3284] 0000000075eed1b9 Thread C:\Program Files (x86)\CenturyLink\QuickCare\bin\sprtsvc.exe [3276:4216] 0000000075c31c50 Thread C:\Program Files (x86)\CenturyLink\QuickCare\bin\tgsrvc.exe [3480:3600] 0000000075eed1b9 Thread C:\Windows\system32\SearchIndexer.exe [3792:4440] 000007fef74b41e0 Thread C:\ProgramData\BrowserProtect\2.6.1070.41\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [6896:4320] 0000000075eed1b9 Thread C:\Windows\system32\wuauclt.exe [5172:5744] 000007feff5e1560 Thread C:\Windows\system32\sdclt.exe [4304:5636] 000007feff5e1560 Thread C:\Windows\system32\svchost.exe [4344:4760] 000007fefec0db20 Thread C:\Windows\system32\svchost.exe [4344:5184] 000007feff5e1560 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:2968] 000000006e0f628d Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5536] 000000006e0f52c2 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:1912] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:3144] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4740] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5624] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4088] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:7064] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5200] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:2928] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4876] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5452] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:6540] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:1140] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:6972] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5292] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:556] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:6940] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:2660] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4132] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:6824] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4596] 000000006dcaebc1 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4448] 000000006ddaa14e Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:1668] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4296] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5460] 0000000075501496 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4104] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:1940] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5912] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:6440] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5496] 00000000739b59da Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:2236] 0000000077633f3d Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:4116] 00000000776b7f3d Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:2920] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:5204] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:3672] 000000007299c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:1048] 0000000075c31c50 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [5376:3216] 0000000075c31c50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:1244] 000000006e0f52c2 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:1236] 0000000069d0eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:5596] 0000000069d0eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:4436] 0000000077633f3d Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:376] 00000000776b7f3d Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:5928] 0000000069d0eb50 Thread C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [3012:6552] 0000000069d0eb50 Thread C:\UsbFix\Go.exe [5948:2532] 0000000075c31c50 Thread C:\UsbFix\Go.exe [5948:5932] 00000000776b7f3d Thread C:\UsbFix\Go.exe [5948:4884] 00000000739b59da Thread C:\UsbFix\Go.exe [5948:3380] 0000000077633f3d ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ C:\Windows\system32\lsm.exe [740] 000007fefd2d0000 Library ? (*** suspicious ***) @ C:\Windows\system32\winlogon.exe [844] 000007fefd410000 Library ? (*** suspicious ***) @ C:\Windows\System32\svchost.exe [300] 000007fefea60000 Library ? (*** suspicious ***) @ C:\Windows\System32\svchost.exe [712] 000007fefd2a0000 Library ? (*** suspicious ***) @ C:\Windows\system32\svchost.exe [1272] 000007fefd410000 Library ? (*** suspicious ***) @ C:\Windows\system32\WLANExt.exe [1444] 000007fefc710000 Library ? (*** suspicious ***) @ C:\Windows\system32\taskeng.exe [1752] 000007fefc710000 Library ? (*** suspicious ***) @ C:\Windows\system32\svchost.exe [1964] 000007fefb510000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ASUS CopyProtect\aspg.exe [2276] 000007fefe8a0000 Library ? (*** suspicious ***) @ C:\Windows\Explorer.EXE [2380] 0000000010000000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe [2512] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Hotkey\MsgTranAgt64.exe [2520] 000007fefc5d0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe [2648] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe [2736] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe [2840] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe [1352] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\CenturyLink\QuickCare\bin\sprtsvc.exe [3276] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\CenturyLink\QuickCare\bin\tgsrvc.exe [3480] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Windows\system32\SearchIndexer.exe [3792] 000007fefc710000 Library ? (*** suspicious ***) @ C:\ProgramData\BrowserProtect\2.6.1070.41\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [6896] 00000000775f0000 Library ? (*** suspicious ***) @ C:\Windows\SysWOW64\schtasks.exe [6976] 00000000775f0000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d60c64678 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001d60c64678 (not active ControlSet) ---- Disk sectors - GMER 2.0 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.0 ----