GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-26 14:19:30 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 rev. 0,00MB Running: x2g4pcv6.exe; Driver: C:\Users\Adam\AppData\Local\Temp\aftcqaow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[400] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000076f10200 6 bytes [48, B8, C0, 2A, 0D, 02] .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 0000000076f10208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f103d0 6 bytes [48, B8, C0, 32, 0D, 02] .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 0000000076f103d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076f104b0 6 bytes [48, B8, F0, 35, 0D, 02] .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076f104b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!DbgUiRemoteBreakin + 1 0000000076fb8601 11 bytes {MOV EAX, 0x20d3560; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Program Files\cFosSpeed\spd.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000076f10200 6 bytes [48, B8, C0, 2A, 05, 04] .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 0000000076f10208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f103d0 6 bytes [48, B8, C0, 32, 05, 04] .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 0000000076f103d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076f104b0 6 bytes [48, B8, F0, 35, 05, 04] .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076f104b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!DbgUiRemoteBreakin + 1 0000000076fb8601 11 bytes {MOV EAX, 0x4053560; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[2056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000076f10200 6 bytes [48, B8, C0, 2A, FD, 03] .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 0000000076f10208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f103d0 6 bytes [48, B8, C0, 32, FD, 03] .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 0000000076f103d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076f104b0 6 bytes [48, B8, F0, 35, FD, 03] .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076f104b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!DbgUiRemoteBreakin + 1 0000000076fb8601 11 bytes {MOV EAX, 0x3fd3560; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\Explorer.EXE[2116] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdae72d1 11 bytes {MOV EAX, 0x3fd4a60; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\svchost.exe[2376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[3024] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000076f10200 6 bytes [48, B8, C0, 2A, 0C, 02] .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 0000000076f10208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f103d0 6 bytes [48, B8, C0, 32, 0C, 02] .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 0000000076f103d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076f104b0 6 bytes [48, B8, F0, 35, 0C, 02] .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076f104b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!DbgUiRemoteBreakin + 1 0000000076fb8601 11 bytes {MOV EAX, 0x20c3560; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[1232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000076f10200 6 bytes [48, B8, C0, 2A, 7D, 02] .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 0000000076f10208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f103d0 6 bytes [48, B8, C0, 32, 7D, 02] .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 0000000076f103d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076f104b0 6 bytes [48, B8, F0, 35, 7D, 02] .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076f104b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!DbgUiRemoteBreakin + 1 0000000076fb8601 11 bytes {MOV EAX, 0x27d3560; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Program Files\cFosSpeed\cfosspeed.exe[3252] C:\Windows\system32\WS2_32.dll!send + 1 000007fefdae72d1 11 bytes {MOV EAX, 0x27d4a60; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000076f10200 6 bytes [48, B8, C0, 2A, 30, 02] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile + 8 0000000076f10208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f103d0 6 bytes [48, B8, C0, 32, 30, 02] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 8 0000000076f103d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076f104b0 6 bytes [48, B8, F0, 35, 30, 02] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 0000000076f104b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!DbgUiRemoteBreakin + 1 0000000076fb8601 11 bytes {MOV EAX, 0x2303560; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000770bfd38 4 bytes [68, 80, 21, 2A] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile + 5 00000000770bfd3d 1 byte [C3] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770c0008 4 bytes [68, B0, 26, 2A] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread + 5 00000000770c000d 1 byte [C3] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770c0164 4 bytes [68, 70, 29, 2A] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 5 00000000770c0169 1 byte [C3] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007713f50a 7 bytes [68, 10, 29, 2A, 00, C3, 7D] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3540] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ab0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3548] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ab0c5 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[4044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5868] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ab0c5 1 byte [62] .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 7679eb26 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 767ab513 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76828609 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76781dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76827efe C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 768280d8 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76827df4 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 768281c2 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 7679f088 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 767ab885 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 768286c1 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76828222 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76827db8 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 7679f121 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 767ab29f C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76828584 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\system\rads_user_kernel.exe[4804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76827d4d C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ab0c5 1 byte [62] .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f71401 2 bytes JMP 7679eb26 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f71419 2 bytes JMP 767ab513 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f71431 2 bytes JMP 76828609 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f7144a 2 bytes CALL 76781dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f714dd 2 bytes JMP 76827efe C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f714f5 2 bytes JMP 768280d8 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f7150d 2 bytes JMP 76827df4 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f71525 2 bytes JMP 768281c2 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f7153d 2 bytes JMP 7679f088 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f71555 2 bytes JMP 767ab885 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f7156d 2 bytes JMP 768286c1 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f71585 2 bytes JMP 76828222 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f7159d 2 bytes JMP 76827db8 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f715b5 2 bytes JMP 7679f121 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f715cd 2 bytes JMP 767ab29f C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f716b2 2 bytes JMP 76828584 C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.198\deploy\LoLLauncher.exe[4120] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f716bd 2 bytes JMP 76827d4d C:\Windows\syswow64\kernel32.dll .text E:\Adam\League of Legends\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.68\deploy\LolClient.exe[2400] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ab0c5 1 byte [62] .text C:\Windows\system32\taskhost.exe[5888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Windows\system32\msiexec.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cff1bd 1 byte [62] .text C:\Users\Adam\Downloads\x2g4pcv6.exe[4840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ab0c5 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msiexec.exe[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!CopyFileW] [7fef456a37c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!CopyFileW] [7fef456a37c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!SetFileSecurityW] [7fef456bea8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegSetValueExA] [7fef456bc04] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegDeleteKeyW] [7fef456d0cc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[KERNEL32.dll!MoveFileW] [7fef456a8d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\msi.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesA] [7fef456ad74] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileA] [7fef456a4d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!CopyFileW] [7fef456a37c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\MPR.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!MoveFileW] [7fef456a8d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!CopyFileW] [7fef456a37c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\sfc_os.DLL[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USERENV.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\USERENV.dll[KERNEL32.dll!PrivCopyFileExW] [7fef456acfc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!OpenFile] [7fef456aa88] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\COMCTL32.DLL[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6\COMCTL32.DLL[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!MoveFileW] [7fef456a8d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!_lwrite] [7fef456ac14] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileA] [7fef456a4d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!RegCreateKeyExA] [7fef456b5d4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!RegSetValueExA] [7fef456bc04] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\srvcli.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\wkscli.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SRCLIENT.DLL[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SRCLIENT.DLL[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SRCLIENT.DLL[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[ADVAPI32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SPP.dll[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VSSAPI.DLL[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VSSAPI.DLL[KERNEL32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VSSAPI.DLL[KERNEL32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VSSAPI.DLL[KERNEL32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VSSAPI.DLL[KERNEL32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VSSAPI.DLL[KERNEL32.dll!CopyFileExW] [7fef456a458] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ATL.DLL[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ATL.DLL[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VssTrace.DLL[KERNEL32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\dsrole.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\System32\ES.DLL[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\System32\ES.DLL[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\System32\ES.DLL[KERNEL32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\System32\ES.DLL[KERNEL32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!RegDeleteValueA] [7fef456bd3c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!RegSetValueExA] [7fef456bc04] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!RegOpenKeyExA] [7fef456b804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SAMLIB.dll[KERNEL32.dll!RegSetValueExA] [7fef456bc04] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SAMLIB.dll[KERNEL32.dll!RegCreateKeyExA] [7fef456b5d4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SAMLIB.dll[KERNEL32.dll!RegOpenKeyExA] [7fef456b804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!_lcreat] [7fef456ab98] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!_lopen] [7fef456ab1c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!_lwrite] [7fef456ac14] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!DeleteFileA] [7fef456a778] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\VERSION.DLL[KERNEL32.dll!MoveFileW] [7fef456a8d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ncrypt.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ncrypt.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ncrypt.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\bcrypt.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ntmarta.dll[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ntmarta.dll[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ntmarta.dll[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!CopyFileW] [7fef456a37c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!CreateFileA] [7fef456a4d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!MoveFileW] [7fef456a8d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!DeleteFileW] [7fef456a7dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fef456add8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!CreateFileW] [7fef456a624] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegCreateKeyExW] [7fef456b6ec] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegOpenKeyExW] [7fef456b8c8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegSetValueExW] [7fef456bca0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegDeleteValueW] [7fef456bdc0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\DEVRTL.dll[KERNEL32.dll!MoveFileW] [7fef456a8d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\DEVRTL.dll[KERNEL32.dll!MoveFileExW] [7fef456a9fc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[1340] @ C:\Windows\system32\LINKINFO.dll[KERNEL32.dll!GetProcAddress] [7fefccfa7d0] C:\Windows\system32\apphelp.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\taskhost.exe [1512:4424] 00000000020d0000 Thread C:\Windows\system32\taskhost.exe [1512:4428] 00000000020db640 Thread C:\Windows\system32\taskhost.exe [1512:4432] 00000000020da760 Thread C:\Windows\system32\taskhost.exe [1512:4436] 00000000020d7db0 Thread C:\Windows\system32\taskhost.exe [1512:4440] 00000000020d7ba0 Thread C:\Windows\system32\taskhost.exe [1512:4444] 00000000020da710 Thread C:\Windows\system32\Dwm.exe [2056:4452] 0000000003a70000 Thread C:\Windows\system32\Dwm.exe [2056:4484] 000000000405b640 Thread C:\Windows\system32\Dwm.exe [2056:4520] 000000000405a760 Thread C:\Windows\system32\Dwm.exe [2056:4552] 0000000004057db0 Thread C:\Windows\system32\Dwm.exe [2056:4556] 0000000004057ba0 Thread C:\Windows\system32\Dwm.exe [2056:4560] 000000000405a710 Thread C:\Windows\Explorer.EXE [2116:4456] 0000000003f00000 Thread C:\Windows\Explorer.EXE [2116:4488] 0000000003fdb640 Thread C:\Windows\System32\rundll32.exe [1232:4460] 0000000000380000 Thread C:\Windows\System32\rundll32.exe [1232:4492] 00000000020cb640 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D82A9C0D-4905-45E9-BB6D-A0D97FB26913}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [1324] (Microsoft Malware Protection Engine/Microsoft Corporation)(2013-12-22 12:59:39) 000007fef5160000 Library C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe (*** suspicious ***) @ C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [5504] 0000000140000000 Library C:\Program Files\Enigma Software Group\SpyHunter\ExecutionGuard.dll (*** suspicious ***) @ C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [5504] 0000000180000000 Library C:\Program Files\Enigma Software Group\SpyHunter\ShScanner.dll (*** suspicious ***) @ C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [5504] 000007fee4640000 Library C:\Program Files\Enigma Software Group\SpyHunter\Defman.dll (*** suspicious ***) @ C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [5504] 000007feea290000 Library C:\Program Files\Enigma Software Group\SpyHunter\Common.dll (*** suspicious ***) @ C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [5504] 0000000000320000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----