Dravinian

Members
  • Content Count

    14
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Dravinian

  • Rank
    Member
  1. That didn't work. I think I will try to install Ubuntu (linux) been meaning to get a system with some sort of linux on it. Hoping that it iwll wipe out (Format) C but leave my other partitions safe so I can still access the files there. We will see. \but thank you very much for your time and expertise freely given and the advice I think I will take the advice about formatting
  2. Unfortunately ComboFix is behaving as HJT and others....nothing is happening, I can see it there in processes, but it is using no CPU power and has a static 3.5k memory usage. This happens whether I drag the bundle I downloaded to install the recovery console or if I just double-click on ComboFix.exe
  3. Ok will do that asap, having some problems with that machine and getting online so posting this from a different machine. For uTorrent, its not a tool I use very often but it is good for getting large updates to games like WoW and the recent Aion Beta release which was done by torrent. I don't really do p2p as I tend to prefer Usenet.
  4. If we could clean it that would be nice. I kinda figured it was pretty screwed over. I would rather not re-format as its quite an old install and I know I would never get all of the information from it that I would want/need. I would inevitably end up thinking in a week...oh crap I can't access this or that anymore now. If we could clean it that would be much better.
  5. ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:368] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.368] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.368] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.368] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.368] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.368] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.368] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.368] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.368] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.368] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.368] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.368] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.368] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.368] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.368] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:320] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.320] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.320] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.320] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.320] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.320] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.320] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.320] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.320] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.320] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.320] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.320] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.320] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.320] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.320] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:672] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.672] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.672] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.672] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.672] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.672] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.672] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.672] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.672] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.672] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.672] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.672] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.672] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.672] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.672] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:680] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.680] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.680] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.680] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.680] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.680] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.680] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.680] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.680] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.680] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.680] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.680] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.680] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.680] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.680] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:708] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.708] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.708] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.708] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.708] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.708] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.708] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.708] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.708] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.708] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.708] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.708] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.708] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.708] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.708] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:712] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.712] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.712] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.712] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.712] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.712] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.712] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.712] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.712] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.712] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.712] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.712] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.712] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.712] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.712] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:816] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.816] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.816] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.816] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.816] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.816] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.816] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.816] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.816] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.816] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.816] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.816] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.816] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.816] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.816] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:820] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.820] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.820] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.820] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.820] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.820] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.820] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.820] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.820] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.820] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.820] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.820] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.820] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.820] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.820] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:932] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.932] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.932] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.932] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.932] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.932] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.932] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.932] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.932] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.932] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.932] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.932] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.932] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.932] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.932] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:512] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.512] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.512] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.512] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.512] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.512] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.512] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.512] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.512] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.512] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.512] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.512] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.512] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.512] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.512] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1276] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1276] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1276] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1276] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1276] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1276] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1276] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1276] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1276] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1276] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1276] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1276] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1276] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1276] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1276] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1628] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1628] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1628] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1628] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1628] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1628] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1628] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1628] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1628] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1628] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1628] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1628] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1628] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1628] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1628] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1480] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1480] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1480] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1480] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1480] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1480] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1480] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1480] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1480] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1480] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1480] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1480] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1480] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1480] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1480] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1460] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1460] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1460] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1460] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1460] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1460] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1460] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1460] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1460] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1460] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1460] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1460] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1460] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1460] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1460] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1764] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1764] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1764] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1764] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1764] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1764] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1764] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1764] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1764] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1764] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1764] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1764] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1764] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1764] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1764] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1808] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1808] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1808] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1808] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1808] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1808] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1808] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1808] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1808] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1808] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1808] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1808] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1808] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1808] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1808] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1840] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1840] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1840] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1840] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1840] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1840] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1840] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1840] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1840] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1840] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1840] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1840] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1840] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1840] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1840] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1848] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1848] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1848] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1848] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1848] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1848] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1848] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1848] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1848] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1848] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1848] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1848] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1848] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1848] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1848] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1900] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1900] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1900] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1900] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1900] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1900] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1900] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1900] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1900] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1900] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1900] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1900] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1900] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1900] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1900] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1904] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1904] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1904] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1904] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1904] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1904] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1904] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1904] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1904] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1904] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1904] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1904] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1904] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1904] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1904] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1908] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1908] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1908] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1908] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1908] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1908] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1908] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1908] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1908] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1908] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1908] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1908] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1908] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1908] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1908] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1912] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1912] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1912] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1912] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1912] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1912] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1912] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1912] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1912] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1912] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1912] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1912] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1912] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1912] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1912] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1736] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1736] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1736] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1736] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1736] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1736] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1736] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1736] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1736] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1736] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1736] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1736] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1736] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1736] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1736] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:296] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.296] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.296] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.296] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.296] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.296] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.296] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.296] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.296] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.296] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.296] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.296] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.296] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.296] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.296] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:720] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.720] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.720] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.720] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.720] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.720] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.720] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.720] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.720] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.720] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.720] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.720] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.720] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.720] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.720] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:768] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.768] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.768] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.768] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.768] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.768] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.768] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.768] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.768] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.768] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.768] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.768] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.768] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.768] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.768] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:724] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.724] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.724] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.724] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.724] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.724] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.724] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.724] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.724] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.724] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.724] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.724] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.724] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.724] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.724] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1800] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1800] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1800] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1800] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1800] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1800] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1800] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1800] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1800] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1800] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1800] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1800] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1800] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1800] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1800] ZwWriteVirtualMemory [0x897D171B] Library \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1500] 0x10000000 Library \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1500] 0x009D0000 ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:1048] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.1048] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.1048] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.1048] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.1048] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.1048] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.1048] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.1048] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.1048] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.1048] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.1048] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.1048] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.1048] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.1048] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.1048] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:1212] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.1212] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.1212] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.1212] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.1212] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.1212] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.1212] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.1212] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.1212] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.1212] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.1212] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.1212] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.1212] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.1212] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.1212] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:748] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.748] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.748] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.748] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.748] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.748] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.748] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.748] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.748] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.748] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.748] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.748] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.748] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.748] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.748] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:1268] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.1268] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.1268] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.1268] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.1268] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.1268] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.1268] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.1268] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.1268] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.1268] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.1268] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.1268] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.1268] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.1268] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.1268] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:1528] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.1528] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.1528] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.1528] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.1528] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.1528] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.1528] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.1528] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.1528] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.1528] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.1528] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.1528] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.1528] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.1528] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.1528] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:1240] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.1240] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.1240] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.1240] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.1240] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.1240] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.1240] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.1240] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.1240] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.1240] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.1240] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.1240] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.1240] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.1240] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.1240] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1500:1844] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1500.1844] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1500.1844] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1500.1844] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1500.1844] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1500.1844] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1500.1844] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1500.1844] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1500.1844] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1500.1844] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1500.1844] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1500.1844] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1500.1844] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1500.1844] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1500.1844] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread msiexec.exe [1616:1796] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A msiexec.exe [1616.1796] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A msiexec.exe [1616.1796] ZwEnumerateKey [0x897D126D] SSDT 00000B8A msiexec.exe [1616.1796] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A msiexec.exe [1616.1796] ZwOpenKey [0x897D11B5] SSDT 00000B8A msiexec.exe [1616.1796] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A msiexec.exe [1616.1796] ZwOpenThread [0x897D0FA7] SSDT 00000B8A msiexec.exe [1616.1796] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A msiexec.exe [1616.1796] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A msiexec.exe [1616.1796] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A msiexec.exe [1616.1796] ZwSetContextThread [0x897D1152] SSDT 00000B8A msiexec.exe [1616.1796] ZwSetValueKey [0x897D14B9] SSDT 00000B8A msiexec.exe [1616.1796] ZwSuspendThread [0x897D10EF] SSDT 00000B8A msiexec.exe [1616.1796] ZwTerminateThread [0x897D108C] SSDT 00000B8A msiexec.exe [1616.1796] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread msiexec.exe [1616:1804] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A msiexec.exe [1616.1804] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A msiexec.exe [1616.1804] ZwEnumerateKey [0x897D126D] SSDT 00000B8A msiexec.exe [1616.1804] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A msiexec.exe [1616.1804] ZwOpenKey [0x897D11B5] SSDT 00000B8A msiexec.exe [1616.1804] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A msiexec.exe [1616.1804] ZwOpenThread [0x897D0FA7] SSDT 00000B8A msiexec.exe [1616.1804] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A msiexec.exe [1616.1804] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A msiexec.exe [1616.1804] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A msiexec.exe [1616.1804] ZwSetContextThread [0x897D1152] SSDT 00000B8A msiexec.exe [1616.1804] ZwSetValueKey [0x897D14B9] SSDT 00000B8A msiexec.exe [1616.1804] ZwSuspendThread [0x897D10EF] SSDT 00000B8A msiexec.exe [1616.1804] ZwTerminateThread [0x897D108C] SSDT 00000B8A msiexec.exe [1616.1804] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:264] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.264] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.264] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.264] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.264] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.264] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.264] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.264] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.264] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.264] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.264] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.264] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.264] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.264] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.264] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:268] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.268] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.268] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.268] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.268] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.268] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.268] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.268] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.268] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.268] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.268] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.268] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.268] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.268] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.268] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:356] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.356] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.356] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.356] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.356] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.356] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.356] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.356] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.356] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.356] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.356] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.356] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.356] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.356] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.356] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:284] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.284] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.284] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.284] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.284] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.284] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.284] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.284] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.284] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.284] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.284] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.284] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.284] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.284] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.284] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:400] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.400] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.400] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.400] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.400] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.400] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.400] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.400] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.400] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.400] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.400] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.400] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.400] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.400] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.400] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:472] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.472] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.472] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.472] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.472] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.472] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.472] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.472] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.472] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.472] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.472] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.472] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.472] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.472] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.472] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread spoolsv.exe [1692:476] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A spoolsv.exe [1692.476] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A spoolsv.exe [1692.476] ZwEnumerateKey [0x897D126D] SSDT 00000B8A spoolsv.exe [1692.476] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A spoolsv.exe [1692.476] ZwOpenKey [0x897D11B5] SSDT 00000B8A spoolsv.exe [1692.476] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A spoolsv.exe [1692.476] ZwOpenThread [0x897D0FA7] SSDT 00000B8A spoolsv.exe [1692.476] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A spoolsv.exe [1692.476] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A spoolsv.exe [1692.476] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A spoolsv.exe [1692.476] ZwSetContextThread [0x897D1152] SSDT 00000B8A spoolsv.exe [1692.476] ZwSetValueKey [0x897D14B9] SSDT 00000B8A spoolsv.exe [1692.476] ZwSuspendThread [0x897D10EF] SSDT 00000B8A spoolsv.exe [1692.476] ZwTerminateThread [0x897D108C] SSDT 00000B8A spoolsv.exe [1692.476] ZwWriteVirtualMemory [0x897D171B] Library \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1816] 0x10000000 Library \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1816] 0x00A00000 ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:1820] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1816.1820] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.1820] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.1820] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.1820] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.1820] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.1820] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.1820] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.1820] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.1820] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.1820] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.1820] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.1820] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.1820] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.1820] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:1916] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1816.1916] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.1916] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.1916] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.1916] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.1916] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.1916] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.1916] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.1916] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.1916] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.1916] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.1916] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.1916] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.1916] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.1916] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:1960] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1816.1960] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.1960] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.1960] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.1960] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.1960] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.1960] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.1960] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.1960] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.1960] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.1960] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.1960] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.1960] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.1960] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.1960] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:2004] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1816.2004] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.2004] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.2004] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.2004] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.2004] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.2004] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.2004] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.2004] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.2004] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.2004] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.2004] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.2004] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.2004] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.2004] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:2016] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1816.2016] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.2016] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.2016] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.2016] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.2016] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.2016] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.2016] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.2016] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.2016] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.2016] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.2016] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.2016] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.2016] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.2016] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:2032] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1816.2032] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.2032] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.2032] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.2032] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.2032] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.2032] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.2032] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.2032] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.2032] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.2032] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.2032] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.2032] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.2032] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.2032] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1816:576] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1816.576] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1816.576] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1816.576] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1816.576] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1816.576] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1816.576] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1816.576] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1816.576] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1816.576] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1816.576] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1816.576] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1816.576] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1816.576] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1816.576] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread 23be4qiz.exe [2168:2172] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwEnumerateKey [0x897D126D] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwOpenKey [0x897D11B5] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwOpenThread [0x897D0FA7] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwSetContextThread [0x897D1152] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwSetValueKey [0x897D14B9] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwSuspendThread [0x897D10EF] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwTerminateThread [0x897D108C] SSDT 00000B8A 23be4qiz.exe [2168.2172] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread 23be4qiz.exe [2168:2176] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwEnumerateKey [0x897D126D] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwOpenKey [0x897D11B5] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwOpenThread [0x897D0FA7] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwSetContextThread [0x897D1152] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwSetValueKey [0x897D14B9] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwSuspendThread [0x897D10EF] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwTerminateThread [0x897D108C] SSDT 00000B8A 23be4qiz.exe [2168.2176] ZwWriteVirtualMemory [0x897D171B] Library \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [2364] 0x10000000 Library \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [2364] 0x009F0000 ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2368] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2368] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2368] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2368] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2368] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2368] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2368] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2368] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2368] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2368] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2368] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2368] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2368] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2368] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2368] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2372] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2372] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2372] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2372] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2372] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2372] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2372] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2372] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2372] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2372] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2372] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2372] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2372] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2372] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2372] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2376] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2376] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2376] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2376] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2376] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2376] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2376] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2376] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2376] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2376] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2376] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2376] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2376] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2376] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2376] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2380] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2380] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2380] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2380] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2380] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2380] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2380] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2380] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2380] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2380] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2380] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2380] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2380] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2380] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2380] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2384] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2384] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2384] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2384] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2384] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2384] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2384] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2384] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2384] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2384] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2384] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2384] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2384] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2384] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2384] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2388] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2388] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2388] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2388] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2388] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2388] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2388] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2388] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2388] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2388] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2388] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2388] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2388] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2388] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2388] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2392] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2392] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2392] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2392] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2392] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2392] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2392] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2392] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2392] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2392] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2392] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2392] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2392] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2392] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2392] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2396] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2396] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2396] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2396] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2396] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2396] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2396] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2396] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2396] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2396] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2396] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2396] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2396] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2396] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2396] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [2364:2400] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [2364.2400] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [2364.2400] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [2364.2400] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [2364.2400] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [2364.2400] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [2364.2400] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [2364.2400] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [2364.2400] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [2364.2400] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [2364.2400] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [2364.2400] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [2364.2400] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [2364.2400] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [2364.2400] ZwWriteVirtualMemory [0x897D171B] ---- Services - GMER 1.0.15 ---- Service C:\windows\system32\drivers\kbiwkmyiooxljg.sys (*** hidden *** ) [sYSTEM] kbiwkmjtunaoro <-- ROOTKIT !!! Service C:\windows\system32\drivers\ndhgcng.sys (*** hidden *** ) [AUTO] rjbdive <-- ROOTKIT !!! Service C:\windows\system32\drivers\UACtttkdtqmsx.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\kbiwkmyiooxljg.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\main Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] 10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] 14400 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\main\[email protected]* kbiwkmwsp8p.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\main\[email protected] kbiwkmcone.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\drivers\kbiwkmyiooxljg.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmubyuejwq.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmcmxsffyl.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmypjbwyfo.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmafdsnwrr.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmyodacmsm.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmijiaogip.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmvsiwqvrs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmyunfyrxp.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmngwyhiky.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\rjbdive Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\windows\system32\drivers\ndhgcng.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] rjbdive Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0x03 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected]_sleepfreq 0x10 0x0E 0x00 0x00 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected]_servers_list 0x68 0x74 0x74 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rjbdive\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\rjbdive\[email protected] 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x71 0x6F 0x71 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xB0 0xE0 0xD7 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x2B 0xAD 0x7E 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xEF 0xB8 0x6E 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xC8 0xC8 0x6E 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x74 0xD5 0x1A 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\UACtttkdtqmsx.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACtttkdtqmsx.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACvkopwjmwnr.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACdanwodomhd.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACmmhgxocprs.db Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACiswsbomawk.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACnenwosvnym.log Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\kbiwkmyiooxljg.sys Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] 10002 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] 1 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] 14400 Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\main\[email protected]* kbiwkmwsp8p.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\main\[email protected] kbiwkmcone.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\drivers\kbiwkmyiooxljg.sys Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmubyuejwq.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmcmxsffyl.dat Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmypjbwyfo.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmafdsnwrr.dat Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmyodacmsm.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmijiaogip.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmvsiwqvrs.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmyunfyrxp.dll Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmjtunaoro\[email protected] \systemroot\system32\kbiwkmngwyhiky.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x71 0x6F 0x71 0x2D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0xB0 0xE0 0xD7 0xA9 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x2B 0xAD 0x7E 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0xEF 0xB8 0x6E 0x28 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0xC8 0xC8 0x6E 0x36 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x74 0xD5 0x1A 0x7E ... Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\UACtttkdtqmsx.sys Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\UACtttkdtqmsx.sys Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACvkopwjmwnr.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACdanwodomhd.dat Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACmmhgxocprs.db Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACiswsbomawk.dll Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected] \\?\globalroot\systemroot\system32\UACnenwosvnym.log Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] 71F053381DCB8CF0F59F45414C21269CB8F0CDE1349D5F77D7BCC9CB6BFD95B74765CD13B084DE7426E5EEE34FF89889943B8E8DF4F1FBC52998415835744EEDEBE5C0AE885D140CE41CEC1AE7A1E30DBC66DD83EED5BC3869150A521390ECE66CE4F353EE92951C2312F0EEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6675D575E7D6A3B9808A9C6AECB7A5D14078EDD5E5BE2F6E667AC78E86B32633D9FAF8A13C6381AE88721F455C133CFA27CD918CB46A723F12DF41F8F5E0EE8153897242B41263B425EC5B22DB54EE2FA904C933D427207EF47B26747B110B572A5459638DAC0B5F3F8A90847C9582C1D0006B34EAA9591EF7D39FA380CDD74F5A71CD87A720F90875E5F581BB1DB309CB26CE8D1A43AE32CBE5DF52FAA638425D104515577DE08EB658078C83326A86D65E81640EDCFD3444DF9E59ADDCDF6670A6860D4EF3E0C70B8A9B2102947806B2A681233D487EB3B3E7051900A1394898B38D32375833F4BD87B45D80095D8D564DDA7E93C5769F87A9F30472668D5BB6568F292B5C47917999B622C3DA807CC4DBE95479C7A3CC842F06C1A3FC8E912786F7597EFDFC6CE23B02F37F35F12D8F00410D1006D0B5AA44D688A77F5B3857D4A894B7C74E5567169C54D5059B7E2B12C3D3585F3AF40092576BB8 ---- EOF - GMER 1.0.15 ----
  6. GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-09 16:51:36 Windows 5.1.2600 Service Pack 2 Running: 23be4qiz.exe; Driver: C:\DOCUME~1\Fong\LOCALS~1\Temp\uwtdypob.sys ---- System - GMER 1.0.15 ---- Code 8A93533E ZwEnumerateKey Code 8A934FD6 ZwFlushInstructionCache Code 8A938426 ZwSaveKey Code 8A9382AE ZwSaveKeyEx Code 8A9357D5 IofCallDriver Code 8A935A75 IofCompleteRequest Code 8A93282D ZwSaveKey Code 8A9250B5 ZwSaveKeyEx ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!IofCallDriver 804EE0E6 5 Bytes JMP 8A9357DA .text ntkrnlpa.exe!IofCompleteRequest 804EE176 5 Bytes JMP 8A935A7A .text ntkrnlpa.exe!ZwSaveKey 804FE584 5 Bytes JMP 8A932832 .text ntkrnlpa.exe!ZwSaveKeyEx 804FE598 5 Bytes JMP 8A9250BA .text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + 816 8053C83A 4 Bytes CALL 897D21D2 00000B8A PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AACBA 5 Bytes JMP 8A934FDA PAGE ntkrnlpa.exe!ZwSaveKey 8061748A 5 Bytes JMP 8A93842A PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061751A 5 Bytes JMP 8A9382B2 PAGE ntkrnlpa.exe!ZwEnumerateKey 80619820 5 Bytes JMP 8A935342 ? C:\windows\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text USBPORT.SYS!DllUnload B959A7AE 5 Bytes JMP 8A8485A0 ? System32\Drivers\alxn12du.SYS The system cannot find the path specified. ! ? 00000B8A The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!DialogBoxIndirectParamW 77D6204B 5 Bytes JMP 7E38C510 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!MessageBoxIndirectA 77D6A062 5 Bytes JMP 7E38C491 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!DialogBoxParamA 77D6B124 5 Bytes JMP 7E38C4D5 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!MessageBoxExW 77D80540 5 Bytes JMP 7E38C3D9 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!MessageBoxExA 77D80564 5 Bytes JMP 7E38C413 C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!DialogBoxIndirectParamA 77D86CB5 5 Bytes JMP 7E38C54B C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] USER32.dll!MessageBoxIndirectW 77D9609B 5 Bytes JMP 7E38C44D C:\windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[560] WININET.dll!HttpAddRequestHeadersA 771C0FA7 5 Bytes JMP 0108000A .text C:\Program Files\Internet Explorer\Iexplore.exe[560] WININET.dll!HttpAddRequestHeadersW 77228A3D 5 Bytes JMP 0128000A .text C:\Program Files\Internet Explorer\Iexplore.exe[560] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00D627E0 .text C:\Program Files\Internet Explorer\Iexplore.exe[560] WS2_32.dll!send 71AB428A 5 Bytes JMP 00D627C0 .text C:\Program Files\Internet Explorer\Iexplore.exe[560] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00D627A0 .text C:\Program Files\Internet Explorer\Iexplore.exe[560] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00D629A0 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6C0AD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6C0C1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6C0B9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6C1748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6C161E] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [bA6D5ACA] sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\Explorer.EXE[420] @ C:\windows\Explorer.EXE [uSER32.dll!TranslateMessage] 015E5736 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 015E51CB IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 015E5117 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 015E50B2 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 015E5080 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 015E5484 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 015E5736 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 015E5736 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 015E5736 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 015E5484 IAT C:\windows\Explorer.EXE[420] @ C:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 015E51CB IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 013A51CB IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 013A51CB IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 013A5117 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 013A50B2 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 013A5080 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 013A5484 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 013A5736 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 013A5736 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 013A5484 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 013A5736 IAT C:\windows\system32\services.exe[852] @ C:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 013A51CB IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00F551CB IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00F55117 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00F550B2 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00F55080 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00F55117 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00F551CB IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00F55117 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00F550B2 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00F55484 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00F55736 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00F55736 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00F55484 IAT C:\windows\system32\lsass.exe[864] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00F55736 IAT C:\windows\system32\svchost.exe[1036] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 02AE5080 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405117 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004050B2 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00405080 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\windows\System32\alg.exe[1140] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00FB51CB IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00FB5117 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00FB50B2 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00FB5080 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00FB5736 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00FB5484 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00FB5736 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00FB5736 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00FB5484 IAT C:\windows\system32\svchost.exe[1152] @ C:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00FB51CB IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01A051CB IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01A05117 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01A050B2 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01A05080 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 01A05736 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 01A05484 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 01A05736 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 01A05736 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 01A05484 IAT C:\windows\System32\svchost.exe[1248] @ C:\windows\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01A051CB IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405117 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004050B2 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00405080 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\WINDOWS\system32\msiexec.exe[1616] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405117 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004050B2 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00405080 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\windows\system32\svchost.exe[1816] @ C:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001451CB IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00145117 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001450B2 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00145080 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00145736 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00145736 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00145484 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00145484 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00145736 IAT C:\Documents and Settings\Fong\Desktop\23be4qiz.exe[2168] @ C:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001451CB IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405117 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004050B2 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00405080 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\SHLWAPI.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\ole32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\ole32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\SHELL32.dll [uSER32.dll!TranslateMessage] 00405736 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\system32\SHELL32.dll [uSER32.dll!GetClipboardData] 00405484 IAT C:\windows\System32\svchost.exe[2364] @ C:\windows\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004051CB ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8AF421E8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBPDO-0 8A8537A0 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF441E8 Device \Driver\dmio \Device\DmControl\DmConfig 8AF441E8 Device \Driver\dmio \Device\DmControl\DmPnP 8AF441E8 Device \Driver\dmio \Device\DmControl\DmInfo 8AF441E8 Device \Driver\usbehci \Device\USBPDO-1 8A8F25C8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 8AED91E8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AED91E8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8AED91E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AED81E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 8AED81E8 Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 8AED81E8 Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\NetBT \Device\NetBt_Wins_Export 8AC3B620 Device \Driver\NetBT \Device\NetBT_Tcpip_{DA5111B4-4FD1-4B9D-A8AE-FA4483C4DF47} 8AC3B620 Device \Driver\NetBT \Device\NetbiosSmb 8AC3B620 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBFDO-0 8A8537A0 Device \Driver\usbehci \Device\USBFDO-1 8A8F25C8 Device \Driver\nvata \Device\NvAta0 8AF431E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A91B7A0 Device \Driver\PCI_NTPNP4864 \Device00006e sptd.sys Device \Driver\nvata \Device\NvAta1 8AF431E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A91B7A0 Device \Driver\rjbdive \Device\{9DD6AFA1-8646-4720-836B-EDCB1085864A} 00000B8A Device \Driver\nvata \Device\NvAta2 8AF431E8 Device \Driver\Ftdisk \Device\FtControl 8AED91E8 Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target3Lun0 8A83D5C0 Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target3Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target2Lun0 8A83D5C0 Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target2Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target0Lun0 8A83D5C0 Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\alxn12du \Device\Scsi\alxn12du1 8A83D5C0 Device \Driver\alxn12du \Device\Scsi\alxn12du1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target1Lun0 8A83D5C0 Device \Driver\alxn12du \Device\Scsi\alxn12du1Port5Path0Target1Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \FileSystem\Cdfs \Cdfs 8A85E7A0 ---- Threads - GMER 1.0.15 ---- Thread System [4:1980] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.1980] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.1980] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.1980] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.1980] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.1980] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.1980] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.1980] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.1980] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.1980] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.1980] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.1980] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.1980] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.1980] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.1980] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:1984] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.1984] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.1984] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.1984] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.1984] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.1984] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.1984] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.1984] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.1984] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.1984] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.1984] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.1984] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.1984] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.1984] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.1984] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:1988] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.1988] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.1988] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.1988] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.1988] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.1988] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.1988] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.1988] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.1988] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.1988] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.1988] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.1988] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.1988] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.1988] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.1988] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:1992] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.1992] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.1992] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.1992] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.1992] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.1992] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.1992] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.1992] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.1992] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.1992] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.1992] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.1992] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.1992] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.1992] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.1992] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:828] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.828] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.828] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.828] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.828] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.828] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.828] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.828] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.828] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.828] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.828] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.828] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.828] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.828] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.828] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:1312] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.1312] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.1312] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.1312] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.1312] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.1312] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.1312] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.1312] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.1312] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.1312] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.1312] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.1312] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.1312] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.1312] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.1312] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:988] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.988] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.988] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.988] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.988] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.988] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.988] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.988] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.988] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.988] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.988] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.988] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.988] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.988] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.988] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:984] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.984] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.984] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.984] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.984] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.984] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.984] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.984] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.984] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.984] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.984] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.984] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.984] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.984] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.984] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:1284] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.1284] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.1284] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.1284] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.1284] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.1284] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.1284] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.1284] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.1284] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.1284] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.1284] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.1284] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.1284] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.1284] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.1284] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread System [4:2180] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A System [4.2180] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A System [4.2180] ZwEnumerateKey [0x897D126D] SSDT 00000B8A System [4.2180] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A System [4.2180] ZwOpenKey [0x897D11B5] SSDT 00000B8A System [4.2180] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A System [4.2180] ZwOpenThread [0x897D0FA7] SSDT 00000B8A System [4.2180] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A System [4.2180] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A System [4.2180] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A System [4.2180] ZwSetContextThread [0x897D1152] SSDT 00000B8A System [4.2180] ZwSetValueKey [0x897D14B9] SSDT 00000B8A System [4.2180] ZwSuspendThread [0x897D10EF] SSDT 00000B8A System [4.2180] ZwTerminateThread [0x897D108C] SSDT 00000B8A System [4.2180] ZwWriteVirtualMemory [0x897D171B] ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\UACiswsbomawk.dll (*** hidden *** ) @ C:\windows\Explorer.EXE [420] 0x00D50000 ---- Threads - GMER 1.0.15 ---- Thread explorer.exe [420:580] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A explorer.exe [420.580] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A explorer.exe [420.580] ZwEnumerateKey [0x897D126D] SSDT 00000B8A explorer.exe [420.580] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A explorer.exe [420.580] ZwOpenKey [0x897D11B5] SSDT 00000B8A explorer.exe [420.580] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A explorer.exe [420.580] ZwOpenThread [0x897D0FA7] SSDT 00000B8A explorer.exe [420.580] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A explorer.exe [420.580] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A explorer.exe [420.580] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A explorer.exe [420.580] ZwSetContextThread [0x897D1152] SSDT 00000B8A explorer.exe [420.580] ZwSetValueKey [0x897D14B9] SSDT 00000B8A explorer.exe [420.580] ZwSuspendThread [0x897D10EF] SSDT 00000B8A explorer.exe [420.580] ZwTerminateThread [0x897D108C] SSDT 00000B8A explorer.exe [420.580] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread explorer.exe [420:1884] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A explorer.exe [420.1884] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A explorer.exe [420.1884] ZwEnumerateKey [0x897D126D] SSDT 00000B8A explorer.exe [420.1884] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A explorer.exe [420.1884] ZwOpenKey [0x897D11B5] SSDT 00000B8A explorer.exe [420.1884] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A explorer.exe [420.1884] ZwOpenThread [0x897D0FA7] SSDT 00000B8A explorer.exe [420.1884] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A explorer.exe [420.1884] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A explorer.exe [420.1884] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A explorer.exe [420.1884] ZwSetContextThread [0x897D1152] SSDT 00000B8A explorer.exe [420.1884] ZwSetValueKey [0x897D14B9] SSDT 00000B8A explorer.exe [420.1884] ZwSuspendThread [0x897D10EF] SSDT 00000B8A explorer.exe [420.1884] ZwTerminateThread [0x897D108C] SSDT 00000B8A explorer.exe [420.1884] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread explorer.exe [420:260] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A explorer.exe [420.260] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A explorer.exe [420.260] ZwEnumerateKey [0x897D126D] SSDT 00000B8A explorer.exe [420.260] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A explorer.exe [420.260] ZwOpenKey [0x897D11B5] SSDT 00000B8A explorer.exe [420.260] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A explorer.exe [420.260] ZwOpenThread [0x897D0FA7] SSDT 00000B8A explorer.exe [420.260] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A explorer.exe [420.260] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A explorer.exe [420.260] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A explorer.exe [420.260] ZwSetContextThread [0x897D1152] SSDT 00000B8A explorer.exe [420.260] ZwSetValueKey [0x897D14B9] SSDT 00000B8A explorer.exe [420.260] ZwSuspendThread [0x897D10EF] SSDT 00000B8A explorer.exe [420.260] ZwTerminateThread [0x897D108C] SSDT 00000B8A explorer.exe [420.260] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread explorer.exe [420:308] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A explorer.exe [420.308] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A explorer.exe [420.308] ZwEnumerateKey [0x897D126D] SSDT 00000B8A explorer.exe [420.308] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A explorer.exe [420.308] ZwOpenKey [0x897D11B5] SSDT 00000B8A explorer.exe [420.308] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A explorer.exe [420.308] ZwOpenThread [0x897D0FA7] SSDT 00000B8A explorer.exe [420.308] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A explorer.exe [420.308] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A explorer.exe [420.308] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A explorer.exe [420.308] ZwSetContextThread [0x897D1152] SSDT 00000B8A explorer.exe [420.308] ZwSetValueKey [0x897D14B9] SSDT 00000B8A explorer.exe [420.308] ZwSuspendThread [0x897D10EF] SSDT 00000B8A explorer.exe [420.308] ZwTerminateThread [0x897D108C] SSDT 00000B8A explorer.exe [420.308] ZwWriteVirtualMemory [0x897D171B] Library \\?\globalroot\systemroot\system32\UACiswsbomawk.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [560] 0x00F50000 ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:1872] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.1872] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.1872] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.1872] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.1872] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.1872] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.1872] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.1872] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.1872] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.1872] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.1872] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.1872] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.1872] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.1872] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.1872] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:1876] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.1876] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.1876] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.1876] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.1876] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.1876] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.1876] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.1876] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.1876] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.1876] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.1876] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.1876] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.1876] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.1876] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.1876] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:1880] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A iexplore.exe [560.1880] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.1880] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.1880] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.1880] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.1880] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.1880] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.1880] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.1880] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.1880] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.1880] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.1880] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.1880] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.1880] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.1880] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:1928] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.1928] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.1928] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.1928] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.1928] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.1928] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.1928] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.1928] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.1928] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.1928] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.1928] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.1928] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.1928] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.1928] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.1928] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:608] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.608] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.608] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.608] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.608] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.608] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.608] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.608] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.608] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.608] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.608] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.608] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.608] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.608] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.608] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:660] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.660] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.660] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.660] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.660] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.660] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.660] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.660] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.660] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.660] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.660] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.660] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.660] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.660] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.660] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:1788] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.1788] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.1788] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.1788] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.1788] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.1788] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.1788] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.1788] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.1788] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.1788] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.1788] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.1788] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.1788] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.1788] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.1788] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:2108] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A iexplore.exe [560.2108] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.2108] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.2108] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.2108] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.2108] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.2108] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.2108] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.2108] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.2108] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.2108] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.2108] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.2108] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.2108] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.2108] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread iexplore.exe [560:2112] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A iexplore.exe [560.2112] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A iexplore.exe [560.2112] ZwEnumerateKey [0x897D126D] SSDT 00000B8A iexplore.exe [560.2112] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A iexplore.exe [560.2112] ZwOpenKey [0x897D11B5] SSDT 00000B8A iexplore.exe [560.2112] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A iexplore.exe [560.2112] ZwOpenThread [0x897D0FA7] SSDT 00000B8A iexplore.exe [560.2112] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A iexplore.exe [560.2112] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A iexplore.exe [560.2112] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A iexplore.exe [560.2112] ZwSetContextThread [0x897D1152] SSDT 00000B8A iexplore.exe [560.2112] ZwSetValueKey [0x897D14B9] SSDT 00000B8A iexplore.exe [560.2112] ZwSuspendThread [0x897D10EF] SSDT 00000B8A iexplore.exe [560.2112] ZwTerminateThread [0x897D108C] SSDT 00000B8A iexplore.exe [560.2112] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread winlogon.exe [796:1940] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A winlogon.exe [796.1940] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A winlogon.exe [796.1940] ZwEnumerateKey [0x897D126D] SSDT 00000B8A winlogon.exe [796.1940] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A winlogon.exe [796.1940] ZwOpenKey [0x897D11B5] SSDT 00000B8A winlogon.exe [796.1940] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A winlogon.exe [796.1940] ZwOpenThread [0x897D0FA7] SSDT 00000B8A winlogon.exe [796.1940] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A winlogon.exe [796.1940] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A winlogon.exe [796.1940] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A winlogon.exe [796.1940] ZwSetContextThread [0x897D1152] SSDT 00000B8A winlogon.exe [796.1940] ZwSetValueKey [0x897D14B9] SSDT 00000B8A winlogon.exe [796.1940] ZwSuspendThread [0x897D10EF] SSDT 00000B8A winlogon.exe [796.1940] ZwTerminateThread [0x897D108C] SSDT 00000B8A winlogon.exe [796.1940] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread winlogon.exe [796:1944] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A winlogon.exe [796.1944] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A winlogon.exe [796.1944] ZwEnumerateKey [0x897D126D] SSDT 00000B8A winlogon.exe [796.1944] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A winlogon.exe [796.1944] ZwOpenKey [0x897D11B5] SSDT 00000B8A winlogon.exe [796.1944] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A winlogon.exe [796.1944] ZwOpenThread [0x897D0FA7] SSDT 00000B8A winlogon.exe [796.1944] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A winlogon.exe [796.1944] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A winlogon.exe [796.1944] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A winlogon.exe [796.1944] ZwSetContextThread [0x897D1152] SSDT 00000B8A winlogon.exe [796.1944] ZwSetValueKey [0x897D14B9] SSDT 00000B8A winlogon.exe [796.1944] ZwSuspendThread [0x897D10EF] SSDT 00000B8A winlogon.exe [796.1944] ZwTerminateThread [0x897D108C] SSDT 00000B8A winlogon.exe [796.1944] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread services.exe [852:1400] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A services.exe [852.1400] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A services.exe [852.1400] ZwEnumerateKey [0x897D126D] SSDT 00000B8A services.exe [852.1400] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A services.exe [852.1400] ZwOpenKey [0x897D11B5] SSDT 00000B8A services.exe [852.1400] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A services.exe [852.1400] ZwOpenThread [0x897D0FA7] SSDT 00000B8A services.exe [852.1400] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A services.exe [852.1400] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A services.exe [852.1400] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A services.exe [852.1400] ZwSetContextThread [0x897D1152] SSDT 00000B8A services.exe [852.1400] ZwSetValueKey [0x897D14B9] SSDT 00000B8A services.exe [852.1400] ZwSuspendThread [0x897D10EF] SSDT 00000B8A services.exe [852.1400] ZwTerminateThread [0x897D108C] SSDT 00000B8A services.exe [852.1400] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread lsass.exe [864:964] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A lsass.exe [864.964] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A lsass.exe [864.964] ZwEnumerateKey [0x897D126D] SSDT 00000B8A lsass.exe [864.964] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A lsass.exe [864.964] ZwOpenKey [0x897D11B5] SSDT 00000B8A lsass.exe [864.964] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A lsass.exe [864.964] ZwOpenThread [0x897D0FA7] SSDT 00000B8A lsass.exe [864.964] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A lsass.exe [864.964] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A lsass.exe [864.964] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A lsass.exe [864.964] ZwSetContextThread [0x897D1152] SSDT 00000B8A lsass.exe [864.964] ZwSetValueKey [0x897D14B9] SSDT 00000B8A lsass.exe [864.964] ZwSuspendThread [0x897D10EF] SSDT 00000B8A lsass.exe [864.964] ZwTerminateThread [0x897D108C] SSDT 00000B8A lsass.exe [864.964] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread lsass.exe [864:1860] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A lsass.exe [864.1860] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A lsass.exe [864.1860] ZwEnumerateKey [0x897D126D] SSDT 00000B8A lsass.exe [864.1860] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A lsass.exe [864.1860] ZwOpenKey [0x897D11B5] SSDT 00000B8A lsass.exe [864.1860] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A lsass.exe [864.1860] ZwOpenThread [0x897D0FA7] SSDT 00000B8A lsass.exe [864.1860] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A lsass.exe [864.1860] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A lsass.exe [864.1860] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A lsass.exe [864.1860] ZwSetContextThread [0x897D1152] SSDT 00000B8A lsass.exe [864.1860] ZwSetValueKey [0x897D14B9] SSDT 00000B8A lsass.exe [864.1860] ZwSuspendThread [0x897D10EF] SSDT 00000B8A lsass.exe [864.1860] ZwTerminateThread [0x897D108C] SSDT 00000B8A lsass.exe [864.1860] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread lsass.exe [864:1864] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A lsass.exe [864.1864] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A lsass.exe [864.1864] ZwEnumerateKey [0x897D126D] SSDT 00000B8A lsass.exe [864.1864] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A lsass.exe [864.1864] ZwOpenKey [0x897D11B5] SSDT 00000B8A lsass.exe [864.1864] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A lsass.exe [864.1864] ZwOpenThread [0x897D0FA7] SSDT 00000B8A lsass.exe [864.1864] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A lsass.exe [864.1864] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A lsass.exe [864.1864] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A lsass.exe [864.1864] ZwSetContextThread [0x897D1152] SSDT 00000B8A lsass.exe [864.1864] ZwSetValueKey [0x897D14B9] SSDT 00000B8A lsass.exe [864.1864] ZwSuspendThread [0x897D10EF] SSDT 00000B8A lsass.exe [864.1864] ZwTerminateThread [0x897D108C] SSDT 00000B8A lsass.exe [864.1864] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread lsass.exe [864:1868] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A lsass.exe [864.1868] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A lsass.exe [864.1868] ZwEnumerateKey [0x897D126D] SSDT 00000B8A lsass.exe [864.1868] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A lsass.exe [864.1868] ZwOpenKey [0x897D11B5] SSDT 00000B8A lsass.exe [864.1868] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A lsass.exe [864.1868] ZwOpenThread [0x897D0FA7] SSDT 00000B8A lsass.exe [864.1868] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A lsass.exe [864.1868] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A lsass.exe [864.1868] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A lsass.exe [864.1868] ZwSetContextThread [0x897D1152] SSDT 00000B8A lsass.exe [864.1868] ZwSetValueKey [0x897D14B9] SSDT 00000B8A lsass.exe [864.1868] ZwSuspendThread [0x897D10EF] SSDT 00000B8A lsass.exe [864.1868] ZwTerminateThread [0x897D108C] SSDT 00000B8A lsass.exe [864.1868] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1036:1780] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1036.1780] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1036.1780] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1036.1780] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1036.1780] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1036.1780] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1036.1780] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1036.1780] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1036.1780] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1036.1780] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1036.1780] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1036.1780] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1036.1780] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1036.1780] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1036.1780] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1036:1924] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1036.1924] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1036.1924] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1036.1924] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1036.1924] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1036.1924] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1036.1924] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1036.1924] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1036.1924] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1036.1924] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1036.1924] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1036.1924] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1036.1924] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1036.1924] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1036.1924] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1036:244] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1036.244] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1036.244] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1036.244] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1036.244] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1036.244] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1036.244] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1036.244] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1036.244] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1036.244] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1036.244] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1036.244] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1036.244] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1036.244] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1036.244] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:1116] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A alg.exe [1140.1116] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.1116] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.1116] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.1116] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.1116] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.1116] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.1116] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.1116] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.1116] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.1116] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.1116] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.1116] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.1116] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.1116] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:1896] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A alg.exe [1140.1896] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.1896] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.1896] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.1896] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.1896] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.1896] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.1896] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.1896] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.1896] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.1896] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.1896] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.1896] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.1896] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.1896] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:288] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A alg.exe [1140.288] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.288] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.288] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.288] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.288] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.288] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.288] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.288] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.288] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.288] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.288] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.288] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.288] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.288] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:292] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A alg.exe [1140.292] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.292] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.292] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.292] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.292] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.292] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.292] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.292] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.292] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.292] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.292] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.292] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.292] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.292] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:188] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A alg.exe [1140.188] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.188] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.188] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.188] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.188] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.188] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.188] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.188] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.188] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.188] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.188] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.188] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.188] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.188] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:300] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A alg.exe [1140.300] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.300] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.300] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.300] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.300] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.300] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.300] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.300] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.300] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.300] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.300] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.300] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.300] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.300] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:324] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A alg.exe [1140.324] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.324] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.324] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.324] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.324] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.324] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.324] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.324] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.324] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.324] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.324] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.324] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.324] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.324] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread alg.exe [1140:340] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A alg.exe [1140.340] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A alg.exe [1140.340] ZwEnumerateKey [0x897D126D] SSDT 00000B8A alg.exe [1140.340] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A alg.exe [1140.340] ZwOpenKey [0x897D11B5] SSDT 00000B8A alg.exe [1140.340] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A alg.exe [1140.340] ZwOpenThread [0x897D0FA7] SSDT 00000B8A alg.exe [1140.340] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A alg.exe [1140.340] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A alg.exe [1140.340] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A alg.exe [1140.340] ZwSetContextThread [0x897D1152] SSDT 00000B8A alg.exe [1140.340] ZwSetValueKey [0x897D14B9] SSDT 00000B8A alg.exe [1140.340] ZwSuspendThread [0x897D10EF] SSDT 00000B8A alg.exe [1140.340] ZwTerminateThread [0x897D108C] SSDT 00000B8A alg.exe [1140.340] ZwWriteVirtualMemory [0x897D171B] Library \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1152] 0x10000000 Library \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1152] 0x009E0000 Library \\?\globalroot\systemroot\system32\UACedyrsvskgo.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [1248] 0x10000000 Library \\?\globalroot\systemroot\system32\UACkbfnyprpfg.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [1248] 0x009D0000 ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1608] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1608] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1608] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1608] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1608] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1608] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1608] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1608] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1608] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1608] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1608] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1608] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1608] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1608] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1608] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1704] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1704] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1704] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1704] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1704] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1704] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1704] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1704] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1704] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1704] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1704] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1704] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1704] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1704] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1704] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:272] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.272] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.272] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.272] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.272] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.272] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.272] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.272] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.272] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.272] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.272] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.272] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.272] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.272] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.272] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1604] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1604] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1604] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1604] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1604] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1604] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1604] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1604] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1604] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1604] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1604] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1604] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1604] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1604] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1604] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1932] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1932] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1932] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1932] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1932] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1932] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1932] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1932] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1932] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1932] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1932] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1932] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1932] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1932] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1932] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1936] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1936] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1936] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1936] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1936] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1936] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1936] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1936] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1936] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1936] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1936] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1936] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1936] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1936] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1936] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1948] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1948] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1948] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1948] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1948] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1948] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1948] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1948] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1948] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1948] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1948] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1948] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1948] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1948] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1948] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:1972] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.1972] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.1972] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.1972] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.1972] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.1972] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.1972] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.1972] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.1972] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.1972] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.1972] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.1972] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.1972] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.1972] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.1972] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:2008] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.2008] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.2008] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.2008] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.2008] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.2008] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.2008] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.2008] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.2008] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.2008] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.2008] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.2008] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.2008] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.2008] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.2008] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:2012] SSDT 0x8A7578B8 != 0x8050131C SSDT 00000B8A svchost.exe [1248.2012] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.2012] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.2012] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.2012] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.2012] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.2012] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.2012] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.2012] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.2012] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.2012] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.2012] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.2012] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.2012] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.2012] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:2020] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.2020] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.2020] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.2020] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.2020] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.2020] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.2020] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.2020] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.2020] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.2020] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.2020] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.2020] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.2020] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.2020] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.2020] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:2028] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.2028] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.2028] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.2028] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.2028] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.2028] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.2028] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.2028] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.2028] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.2028] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.2028] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.2028] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.2028] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.2028] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.2028] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:916] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.916] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.916] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.916] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.916] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.916] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.916] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.916] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.916] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.916] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.916] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.916] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.916] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.916] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.916] ZwWriteVirtualMemory [0x897D171B] ---- Threads - GMER 1.0.15 ---- Thread svchost.exe [1248:248] SSDT 0x8A758448 != 0x8050131C SSDT 00000B8A svchost.exe [1248.248] ZwDeleteValueKey [0x897D15BD] SSDT 00000B8A svchost.exe [1248.248] ZwEnumerateKey [0x897D126D] SSDT 00000B8A svchost.exe [1248.248] ZwEnumerateValueKey [0x897D1379] SSDT 00000B8A svchost.exe [1248.248] ZwOpenKey [0x897D11B5] SSDT 00000B8A svchost.exe [1248.248] ZwOpenProcess [0x897D0F1F] SSDT 00000B8A svchost.exe [1248.248] ZwOpenThread [0x897D0FA7] SSDT 00000B8A svchost.exe [1248.248] ZwProtectVirtualMemory [0x897D1781] SSDT 00000B8A svchost.exe [1248.248] ZwQuerySystemInformation [0x897D0E19] SSDT 00000B8A svchost.exe [1248.248] ZwReadVirtualMemory [0x897D16B5] SSDT 00000B8A svchost.exe [1248.248] ZwSetContextThread [0x897D1152] SSDT 00000B8A svchost.exe [1248.248] ZwSetValueKey [0x897D14B9] SSDT 00000B8A svchost.exe [1248.248] ZwSuspendThread [0x897D10EF] SSDT 00000B8A svchost.exe [1248.248] ZwTerminateThread [0x897D108C] SSDT 00000B8A svchost.exe [1248.248] ZwWriteVirtualMemory [0x897D171B]
  7. Ignore the first part of that last post, I did not read your instructions carefully enough, I am running a Rootkit scan now and will post shortly. I am working on the GMER scan, however my PC has taken to occasionally shutting down without warning, so I have had to start the scan from fresh just now.
  8. GMER said..to paraphrase Your system may have been changed...do you want to do a full scan. I said yes and it is doing that full scan now. I am not sure if that was correct. The scan is very large. Do you still want me to press copy and paste it into a post? DDS DDS (Ver_09-09-29.01) - NTFSx86 Run by Fong at 15:51:41.85 on 09/10/2009 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2609 [GMT 1:00] AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98} AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000} AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\windows\system32\svchost -k DcomLaunch C:\windows\system32\svchost -k rpcss C:\windows\System32\svchost.exe -k netsvcs C:\windows\system32\svchost.exe -k LocalService C:\windows\system32\spoolsv.exe C:\windows\Explorer.EXE C:\Program Files\Internet Explorer\Iexplore.exe C:\windows\system32\ctfmon.exe C:\WINDOWS\system32\msiexec.exe C:\windows\system32\svchost.exe -k imgsvc C:\windows\System32\alg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Fong\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uLocal Page = \blank.htm uStart Page = hxxp://www.google.com uSearch Page = hxxp://www.google.com uDefault_Search_URL = uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mDefault_Search_URL = hxxp://www.google.com/ie mSearch Page = hxxp://www.google.com mStart Page = hxxp://www.google.com mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html uInternet Settings,ProxyOverride = *.local;<local> uInternet Settings,ProxyServer = http=localhost:7171 uSearchAssistant = hxxp://www.google.com uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ mSearchAssistant = hxxp://www.google.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe, BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [spyware Doctor] dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,[email protected] dRun: [Monopod] c:\windows\temp\a.exe dRun: [braviax] c:\windows\system32\braviax.exe dRun: [PopRock] c:\windows\temp\a.exe uExplorerRun: [servises] c:\windows\system32\servises.exe mExplorerRun: [servises] c:\windows\system32\servises.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - c:\progra~1\easywe~1\easywebcam.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - Eudora's Shell Extension SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\fong\applic~1\mozilla\firefox\profiles\32gmq8fn.default\ FF - prefs.js: browser.search.selectedEngine - Google.co.uk FF - prefs.js: browser.startup.homepage - hxxp://www.binsearch.info/ FF - plugin: c:\documents and settings\fong\local settings\application data\google\update\1.2.131.11\npGoogleOneClick5.dll FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-7 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-14 130424] R0 pe3ahqjb;Dawn of Magic Environment Driver (pe3ahqjb);c:\windows\system32\drivers\pe3ahqjb.sys [2007-3-29 64896] R0 ps6ahqjb;Dawn of Magic Synchronization Driver (ps6ahqjb);c:\windows\system32\drivers\ps6ahqjb.sys [2007-3-29 52616] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-7 114768] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-16 11608] R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2006-8-1 50048] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-7 20560] R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-6-14 21904] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-22 55640] R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-6-14 28560] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-2-10 33792] S1 lzx32;Win23 lzx files load;\??\c:\windows\system32:lzx32.sys --> c:\windows\system32:lzx32.sys [?] S1 pe386;Win23 lzx files loader;\??\c:\windows\system32:lzx32.sys --> c:\windows\system32:lzx32.sys [?] S2 Spoolermnmsrvc;Print Spooler Spoolermnmsrvc;c:\windows\temp\mtkrqxmehy.exe srv --> c:\windows\temp\mtkrqxmehy.exe srv [?] S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\system32\drivers\pcam800.sys [2003-1-3 210792] S3 ENDETECT;ENDETECT;\??\d:\release\endetect.sys --> d:\release\ENDETECT.SYS [?] S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2006-8-1 14095] S3 mpr_freader;MPR FileReader Driver;\??\c:\program files\multi password recovery\mpr_freader.sys --> c:\program files\multi password recovery\mpr_freader.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512] S3 pae_1394;pae_1394;c:\windows\system32\drivers\pae_1394.sys [2008-6-9 123440] S3 pae_avs;pae_avs;c:\windows\system32\drivers\pae_avs.sys [2008-6-9 51248] S3 PCAlertDriver;PCAlertDriver;c:\program files\msi\core center\NTGLM7X.sys [2006-7-31 27136] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 TAPBIND;TAPBIND;\??\d:\release\tapbind1.sys --> d:\release\TAPBIND1.SYS [?] S3 WN4501HLFZZ(Technology Corporation);802.11g Wireless USB Adapter(Technology Corporation);c:\windows\system32\drivers\O4501U.sys [2008-3-5 408064] S3 XDva147;XDva147;\??\c:\windows\system32\xdva147.sys --> c:\windows\system32\XDva147.sys [?] S4 AlerterALG;Alerter AlerterALG;c:\windows\temp\llsstudsdj.exe service --> c:\windows\temp\llsstudsdj.exe service [?] S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-16 108289] S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-16 185089] S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-7 138680] S4 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-7 254040] S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-7 352920] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] S4 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-6-14 826600] S4 pr2ahqjb;Dawn of Magic Drivers Auto Removal (pr2ahqjb);c:\windows\system32\pr2ahqjb.exe svc --> c:\windows\system32\pr2ahqjb.exe svc [?] S4 xmlprovxmlprov;Network Provisioning Service xmlprovxmlprov;c:\windows\system32\agcpanelfrenchq.exe srv --> c:\windows\system32\AgCPanelFrenchq.exe srv [?] SUnknown rjbdive;rjbdive; [x] =============== Created Last 30 ================ 2009-10-08 18:11 233 a--s---- c:\windows\system32\1653416476.dat 2009-10-07 22:48 <DIR> --d-h--- c:\windows\PIF 2009-10-07 21:34 <DIR> --d----- c:\program files\a-squared HiJackFree 2009-10-07 21:26 <DIR> --d----- c:\program files\Advanced Spyware Remover 2009-10-07 21:22 <DIR> --d----- c:\program files\SpywareBlaster 2009-10-07 19:43 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-10-07 19:30 <DIR> --d----- c:\program files\VS Revo Group 2009-10-07 19:14 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-10-07 19:13 <DIR> --d----- c:\program files\Lavasoft 2009-10-07 19:02 <DIR> --d----- c:\program files\NoAdware 2009-09-23 21:27 59,264 ac------ c:\windows\system32\dllcache\usbaudio.sys 2009-09-23 21:27 59,264 a------- c:\windows\system32\drivers\USBAUDIO.sys 2009-09-20 14:27 0 a------- c:\windows\win32k.sys 2009-09-10 16:02 6,144 a------- c:\windows\cru629.dat 2009-09-10 16:00 191,357 a------- c:\windows\system32\wisdstr.exe ==================== Find3M ==================== 2009-10-01 01:09 237,600 a------- c:\windows\system32\drivers\str.sys 2009-09-10 16:00 20,992 a--sh--- c:\windows\system32\autochk.dll 2009-09-07 21:10 44,544 a------- c:\windows\system32\lpocg.dll 2009-09-04 14:49 75,008 a------- c:\windows\system32\drivers\ndhgcng.sys 2009-09-04 14:44 19,968 a--sh--- c:\documents and settings\fong\protect.dll 2008-04-24 09:23 22,328 a------- c:\docume~1\fong\applic~1\PnkBstrK.sys 2007-05-27 14:30 557,056 a------- c:\documents and settings\fong\GoToAssist_phone__319_en.exe 2007-04-03 04:38 2,518 a------- c:\docume~1\fong\applic~1\wklnhst.dat 2004-08-03 23:56 61,952 ---shr-- c:\windows\system32\adsnwe.exe ============= FINISH: 15:53:00.75 =============== Attach.txt
  9. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "rjbdive" found! DisplayName: rjbdive ImagePath: \??\C:\windows\system32\drivers\ndhgcng.sys Start Type: 2 (Automatic) Hidden driver "a7of9ipd" found! Start Type: 3 (Manual) Rootkit scan completed. File move operation "C:\windows\system32\logevent.dll|C:\windows\system 32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate. ---------------------------------------------------------------------------------------------------------------- Running from: C:\Documents and Settings\Fong\desktop\win32kdiag.exe Log file at : C:\Documents and Settings\Fong\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\windows'... Cannot access: C:\windows\system32\dumprep.exe Attempting to restore permissions of : C:\windows\system32\dumprep.exe Finished!
  10. Sorry for delay in posting I was in Uni all day yesterday and then a friend came back and we got quite drunk. I should be around all weekend though and will be watching this thread. Thanks for taking the time to help.
  11. Running from: C:\Documents and Settings\Fong\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Fong\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\windows'... Cannot access: C:\windows\system32\dumprep.exe [1] 2004-08-03 23:56:50 10752 C:\windows\system32\dllcache\dumprep.exe (Microsoft Corporation) [1] 2004-08-03 23:56:50 10752 C:\windows\system32\dumprep.exe () Cannot access: C:\windows\system32\eventlog.dll [1] 2004-08-03 23:56:44 55808 C:\windows\system32\dllcache\eventlog.dll (Microsoft Corporation) [1] 2004-08-03 23:56:44 61952 C:\windows\system32\eventlog.dll () [2] 2004-08-03 23:56:44 55808 C:\windows\system32\logevent.dll (Microsoft Corporation) Finished!
  12. Ad-Aware service will not run. I have tried all the available tricks to make it work from the Ad-Aware forum, none of them work or apply in this case. The service is there, it is set to automatic, but it is not running and I get an 'Error 5: Access is Denied' when I try and start the service. HJT will not install, I have HJTinstall.exe when I run it 'HJTInstall.exe' appears in the processes but nothing happens. As a side note, and a probably related note, other such programs are also behaving strangely when installed. For instance I install a program that is well known for removing spyware and when I install it, it will begin to work, then shortly after it will close, and the shortcut icon will take on the appearance of a deleted file....imagine you delete a program from your program files but leave the shortcut on the desktop, the plain white box icon, that is how these icons appear. They also give me the message if I attempt to run them from the shortcut... "Windows cannot access the specified device, path, or file. You may not have teh appropriate premissions to access the item." I have also noticed while watching my windows task manager that the Process "iexplore.exe" keeps appearing and can appear multiple times. I use Mozilla and do not use Internet Explorer so not sure if it is a windows requirement but thought I would mention it. Any help greatly appreciated. I am using Windows XP Pro with Service Pack 2.
  13. I have Windows XP. When I install Ad-Aware Anniversary edition it installs ok, upon restart it begins ok and I can see the AAWservice running in processes. However, after a short time the program crashes and the AAWservice disappears from the processes. I then cannot start the process again and thus cannot start Ad-Aware. I have tried the fixes listed on the front page. Uninstalling and re-installing...HJT will not install, the .exe appears in the process list...but it takes no processing power and nothing else happens. The Lavasoft service appears in the services list when I do RUN services.msc and it is slated as being automatic but it isn't running and when I attempt to run the service it says Error 5: Access is Denied .....I even tried starting the service manually by starting AAWservice but it would not start. Now really sure what I can do to get this program working, so if anyone has any ideas or suggestions would appreciate the help.