Gmer Log
GMER 1.0.15.15641 -
http://www.gmer.net
Rootkit scan 2012-04-12 07:52:23
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000061 WDC_WD50 rev.12.0
Running: ssb8kw6s.exe; Driver: C:\Users\Harveydf\AppData\Local\Temp\uxlcykob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8B26DC0C]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8B26DED4]
SSDT \SystemRoot\system32\drivers\TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0x8B2CC930]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8B26E1D0]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 209 826B498C 8 Bytes [0C, DC, 26, 8B, D4, DE, 26, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 826B4DA4 4 Bytes [30, C9, 2C, 8B] {XOR CL, CL; SUB AL, 0x8b}
.text ntkrnlpa.exe!KeSetEvent + 6E5 826B4E68 4 Bytes [D0, E1, 26, 8B]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F605000, 0x3C9EA5, 0xE8000020]
? \ArcName\multi(0)disk(0)rdisk(0)partition(2)\Windows\system32\drivers\PctWfpFilter.sys The system cannot find the path specified. !
? system32\drivers\86648901.sys The system cannot find the path specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtLoadDriver 77BC48D4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtLoadDriver + 4 77BC48D8 2 Bytes [29, 71]
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtSuspendProcess 77BC5324 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtSuspendProcess + 4 77BC5328 2 Bytes [44, 71]
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!TerminateProcess 774618EF 6 Bytes JMP 71A0000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessW 77461BF3 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessA 77461C28 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!WriteProcessMemory 77461CB8 6 Bytes JMP 719D000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtect 77461DC3 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!MoveFileW 7746A2F2 6 Bytes JMP 7030000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CopyFileExW 77470221 6 Bytes JMP 708E000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CopyFileW 774702A9 6 Bytes JMP 70A2000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!DeleteFileW 7747F54E 6 Bytes JMP 7046000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!DeleteFileA 7747F66A 6 Bytes JMP 7049000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!MoveFileExW 77481160 6 Bytes JMP 702A000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!OpenMutexA 7748348F 6 Bytes JMP 705E000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!DeviceIoControl 774850FF 6 Bytes JMP 707F000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW + 173 774893EF 4 Bytes JMP 71AB000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 77489400 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateMutexA 774894D1 6 Bytes JMP 7064000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 7748957C 6 Bytes JMP 7199000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetVolumeInformationW 7748D876 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 7748DC52 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!TerminateThread 774A4413 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadResource 774A6CFB 6 Bytes JMP 70AB000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!OpenProcess 774A7487 6 Bytes JMP 7027000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetProcAddress 774A925B 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!WriteFile 774AABE1 6 Bytes JMP 7076000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!OpenMutexW 774AACA5 6 Bytes JMP 705B000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualAlloc 774AAF75 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileW 774AB0EB 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateThread 774ACB2E 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateRemoteThread 774ACB55 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateRemoteThread + 4 774ACB59 2 Bytes [AD, 71]
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!WideCharToMultiByte 774ACE18 6 Bytes JMP 7036000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!MultiByteToWideChar 774ACEFB 6 Bytes JMP 7058000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileA 774AD07F 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateDirectoryW 774AD386 6 Bytes JMP 7079000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateMutexW 774AD775 6 Bytes JMP 7061000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!MoveFileExA 774B112A 6 Bytes JMP 702D000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetVolumeInformationA 774B14B7 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CopyFileA 774B2653 6 Bytes JMP 70A5000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateToolhelp32Snapshot 774B68C7 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateDirectoryA 774B7314 6 Bytes JMP 707C000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!DebugActiveProcess 774E9BC1 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!MoveFileA 774EF7A1 6 Bytes JMP 7033000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CopyFileExA 774F1B59 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!WinExec 774F60CF 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!SetThreadContext 774F7E27 6 Bytes JMP 7073000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegDeleteKeyA 764E1C8C 6 Bytes JMP 7043000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!OpenSCManagerA 764E2D93 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegQueryValueA 764E30C8 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegDeleteKeyW 764E38CD 6 Bytes JMP 7040000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 764E39AB 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 764E3BA9 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegSetValueExA 764E3BEC 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!OpenSCManagerW 764E7137 6 Bytes JMP 70D1000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 764E89C7 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!AdjustTokenPrivileges 764E99CD 6 Bytes JMP 7067000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegQueryValueW 764F32D4 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!LookupPrivilegeValueW 764F36FF 6 Bytes JMP 706A000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 764F391E 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!LookupPrivilegeValueA 764F3A0F 6 Bytes JMP 706D000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegSetValueExW 764F3D5A 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 764F41F1 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegQueryValueExA 764F7A9D 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 764F7C42 6 Bytes JMP 7100000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 764FE2B5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegQueryValueExW 7650765E 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 76507BA1 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!OpenProcessToken 76507DDC 6 Bytes JMP 7070000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!CreateServiceW 76509EB4 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!LsaRemoveAccountRights 7652B569 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!CreateServiceA 765472A1 6 Bytes JMP 7127000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!RegisterRawInputDevices 777E6161 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[816] USER32.dll!RegisterRawInputDevices + 4 777E6165 2 Bytes [1D, 71]
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWindowsHookExA 777E6322 6 Bytes JMP 718D000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!GetAsyncKeyState 777E863C 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWindowsHookExW 777E87AD 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWinEventHook 777E9F3A 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!GetKeyboardState 777EBD7D 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[816] USER32.dll!GetKeyboardState + 4 777EBD81 2 Bytes [32, 71]
.text C:\Windows\system32\svchost.exe[816] USER32.dll!ShowWindow 777ECA10 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[816] USER32.dll!ShowWindow + 4 777ECA14 2 Bytes [AD, 70]
.text C:\Windows\system32\svchost.exe[816] USER32.dll!CreateWindowExA 777EDC2A 6 Bytes JMP 704F000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!GetWindowTextA 777EF63C 6 Bytes JMP 70C3000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!CreateWindowExW 777F1305 6 Bytes JMP 704C000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!GetWindowTextW 777F2069 6 Bytes JMP 70C0000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!GetKeyState 777F8CB1 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!DrawTextExW 777F91CE 6 Bytes JMP 7082000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!DrawTextW 777F97D3 6 Bytes JMP 7052000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWindowTextW 777F9815 6 Bytes JMP 703A000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!DrawTextA 7780558D 6 Bytes JMP 7055000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!DrawTextExA 778055C4 6 Bytes JMP 7085000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWindowTextA 7780A4E6 6 Bytes JMP 703D000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!DdeConnect 77829A1F 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[816] USER32.dll!EndTask 7782AD32 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[816] SHELL32.dll!ShellExecuteW 768C9725 6 Bytes JMP 7159000A
.text C:\Windows\system32\svchost.exe[816] SHELL32.dll!Shell_NotifyIconW 76908642 6 Bytes JMP 7088000A
.text C:\Windows\system32\svchost.exe[816] SHELL32.dll!ShellExecuteExW 7691C155 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[816] SHELL32.dll!ShellExecuteEx 76ACA292 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[816] SHELL32.dll!ShellExecuteA 76ACA32D 6 Bytes JMP 717A000A
.text C:\Windows\system32\svchost.exe[816] SHELL32.dll!Shell_NotifyIcon 76ACBAED 6 Bytes JMP 708B000A
.text C:\Windows\system32\svchost.exe[1708] ntdll.dll!NtLoadDriver 77BC48D4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1708] ntdll.dll!NtLoadDriver + 4 77BC48D8 2 Bytes [5C, 71]
.text C:\Windows\system32\svchost.exe[1708] ntdll.dll!NtSuspendProcess 77BC5324 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1708] ntdll.dll!NtSuspendProcess + 4 77BC5328 2 Bytes [74, 71] {JZ 0x73}
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!TerminateProcess 774618EF 6 Bytes JMP 719F000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 77461BF3 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 77461C28 6 Bytes JMP 718D000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!WriteProcessMemory 77461CB8 6 Bytes JMP 719C000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 77461DC3 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!MoveFileW 7746A2F2 6 Bytes JMP 708B000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CopyFileExW 77470221 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CopyFileW 774702A9 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!DeleteFileW 7747F54E 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!DeleteFileA 7747F66A 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!MoveFileExW 77481160 6 Bytes JMP 7085000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!OpenMutexA 7748348F 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!DeviceIoControl 774850FF 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW + 173 774893EF 4 Bytes JMP 71AB000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 77489400 6 Bytes JMP 7196000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateMutexA 774894D1 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 7748957C 6 Bytes JMP 7199000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!GetVolumeInformationW 7748D876 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 7748DC52 6 Bytes JMP 7160000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!TerminateThread 774A4413 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadResource 774A6CFB 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!OpenProcess 774A7487 6 Bytes JMP 7082000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 774A925B 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!WriteFile 774AABE1 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!OpenMutexW 774AACA5 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!VirtualAlloc 774AAF75 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateFileW 774AB0EB 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateThread 774ACB2E 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateRemoteThread 774ACB55 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateRemoteThread + 4 774ACB59 2 Bytes [AD, 71]
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!WideCharToMultiByte 774ACE18 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!MultiByteToWideChar 774ACEFB 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateFileA 774AD07F 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateDirectoryW 774AD386 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateMutexW 774AD775 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!MoveFileExA 774B112A 6 Bytes JMP 7088000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!GetVolumeInformationA 774B14B7 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CopyFileA 774B2653 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateToolhelp32Snapshot 774B68C7 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateDirectoryA 774B7314 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!DebugActiveProcess 774E9BC1 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!MoveFileA 774EF7A1 6 Bytes JMP 708E000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CopyFileExA 774F1B59 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!WinExec 774F60CF 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!SetThreadContext 774F7E27 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegDeleteKeyA 764E1C8C 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!OpenSCManagerA 764E2D93 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegQueryValueA 764E30C8 6 Bytes JMP 7127000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegDeleteKeyW 764E38CD 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 764E39AB 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 764E3BA9 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegSetValueExA 764E3BEC 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!OpenSCManagerW 764E7137 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 764E89C7 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!AdjustTokenPrivileges 764E99CD 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegQueryValueW 764F32D4 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!LookupPrivilegeValueW 764F36FF 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 764F391E 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!LookupPrivilegeValueA 764F3A0F 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegSetValueExW 764F3D5A 6 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 764F41F1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegQueryValueExA 764F7A9D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 764F7C42 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 764FE2B5 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegQueryValueExW 7650765E 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 76507BA1 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!OpenProcessToken 76507DDC 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!CreateServiceW 76509EB4 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!LsaRemoveAccountRights 7652B569 6 Bytes JMP 71A2000A
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!CreateServiceA 765472A1 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!RegisterRawInputDevices 777E6161 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!RegisterRawInputDevices + 4 777E6165 2 Bytes [50, 71]
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!SetWindowsHookExA 777E6322 6 Bytes JMP 7193000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!GetAsyncKeyState 777E863C 6 Bytes JMP 7169000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!SetWindowsHookExW 777E87AD 6 Bytes JMP 7190000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!SetWinEventHook 777E9F3A 6 Bytes JMP 7154000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!GetKeyboardState 777EBD7D 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!GetKeyboardState + 4 777EBD81 2 Bytes [65, 71]
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!ShowWindow 777ECA10 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!ShowWindow + 4 777ECA14 2 Bytes [FC, 70]
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!CreateWindowExA 777EDC2A 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!GetWindowTextA 777EF63C 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!CreateWindowExW 777F1305 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!GetWindowTextW 777F2069 6 Bytes JMP 7100000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!GetKeyState 777F8CB1 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!DrawTextExW 777F91CE 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!DrawTextW 777F97D3 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!SetWindowTextW 777F9815 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!DrawTextA 7780558D 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!DrawTextExA 778055C4 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!SetWindowTextA 7780A4E6 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!DdeConnect 77829A1F 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[1708] USER32.dll!EndTask 7782AD32 6 Bytes JMP 7178000A
.text C:\Windows\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 7756E296 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 775CD9BA 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[1708] shell32.dll!ShellExecuteW 768C9725 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[1708] shell32.dll!Shell_NotifyIconW 76908642 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[1708] shell32.dll!ShellExecuteExW 7691C155 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[1708] shell32.dll!ShellExecuteEx 76ACA292 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[1708] shell32.dll!ShellExecuteA 76ACA32D 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[1708] shell32.dll!Shell_NotifyIcon 76ACBAED 6 Bytes JMP 70EB000A
.text C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe[2500] kernel32.dll!CreateThread + 1A 774ACB48 4 Bytes CALL 0044C4B9 C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe (PC Tools Security Component/PC Tools)
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!LoadLibraryExW 7748927C 6 Bytes JMP 71A30F5A
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!LoadLibraryExW + 173 774893EF 4 Bytes JMP 03C3000A
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!LoadLibraryW 77489400 6 Bytes JMP 71A90F5A
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!LoadLibraryExA 77489554 6 Bytes JMP 71A60F5A
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!LoadLibraryA 7748957C 6 Bytes JMP 71AF0F5A
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!GetProcAddress 774A925B 6 Bytes JMP 71A00F5A
.text C:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe[3224] kernel32.dll!CreateRemoteThread + 175 774ACCCA 4 Bytes JMP 719D0000
.text C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe[3804] kernel32.dll!CreateThread + 1A 774ACB48 4 Bytes CALL 0044CD69 C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe (PC Tools Security Component/PC Tools)
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ntdll.dll!NtLoadDriver 77BC48D4 3 Bytes [FF, 25, 1E]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ntdll.dll!NtLoadDriver + 4 77BC48D8 2 Bytes [65, 71]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ntdll.dll!NtSuspendProcess 77BC5324 3 Bytes [FF, 25, 1E]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ntdll.dll!NtSuspendProcess + 4 77BC5328 2 Bytes [7A, 71] {JP 0x73}
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!TerminateProcess 774618EF 6 Bytes JMP 71A5000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!CreateProcessW 77461BF3 6 Bytes JMP 7190000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!CreateProcessA 77461C28 6 Bytes JMP 7193000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!WriteProcessMemory 77461CB8 6 Bytes JMP 71A2000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!LoadLibraryExW + 173 774893EF 4 Bytes JMP 71AC000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!LoadLibraryW 77489400 6 Bytes JMP 719C000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!LoadLibraryA 7748957C 6 Bytes JMP 719F000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!TerminateThread 774A4413 6 Bytes JMP 7178000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!GetProcAddress 774A925B 6 Bytes JMP 7157000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!CreateRemoteThread 774ACB55 3 Bytes [FF, 25, 1E]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!CreateRemoteThread + 4 774ACB59 2 Bytes [AE, 71]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!DebugActiveProcess 774E9BC1 6 Bytes JMP 7175000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] kernel32.dll!WinExec 774F60CF 6 Bytes JMP 7181000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ADVAPI32.dll!CreateServiceW 76509EB4 6 Bytes JMP 7160000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ADVAPI32.dll!LsaRemoveAccountRights 7652B569 6 Bytes JMP 71A8000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] ADVAPI32.dll!CreateServiceA 765472A1 6 Bytes JMP 7163000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!RegisterRawInputDevices 777E6161 3 Bytes [FF, 25, 1E]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!RegisterRawInputDevices + 4 777E6165 2 Bytes [59, 71]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!SetWindowsHookExA 777E6322 6 Bytes JMP 7199000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!GetAsyncKeyState 777E863C 6 Bytes JMP 716F000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!SetWindowsHookExW 777E87AD 6 Bytes JMP 7196000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!SetWinEventHook 777E9F3A 6 Bytes JMP 715D000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!GetKeyboardState 777EBD7D 3 Bytes [FF, 25, 1E]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!GetKeyboardState + 4 777EBD81 2 Bytes [6B, 71]
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!GetKeyState 777F8CB1 6 Bytes JMP 7172000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!DdeConnect 77829A1F 6 Bytes JMP 7169000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] USER32.dll!EndTask 7782AD32 6 Bytes JMP 717E000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] SHELL32.dll!ShellExecuteW 768C9725 6 Bytes JMP 718A000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] SHELL32.dll!ShellExecuteExW 7691C155 6 Bytes JMP 7184000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] SHELL32.dll!ShellExecuteEx 76ACA292 6 Bytes JMP 7187000A
.text C:\Users\Harveydf\Desktop\ssb8kw6s.exe[5280] SHELL32.dll!ShellExecuteA 76ACA32D 6 Bytes JMP 718D000A
---- User IAT/EAT - GMER 1.0.15 ----