GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-28 19:19:13 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\viamraid1Port2Path0Target0Lun0 HDS72808 rev.PF2O 76,69GB Running: gmer.exe; Driver: C:\DOCUME~1\GRAVE70\USTAWI~1\Temp\kfroqpob.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xB385742C] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xB3856928] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwClose [0xB36C050E] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwConnectPort [0xB385564C] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwCreateFile [0xB379F9D8] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwCreateKey [0xB36C0914] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreatePort [0xB385546A] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcess [0xB3856EE8] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcessEx [0xB3853978] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwCreateSection [0xB36C82D5] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwCreateSymbolicLinkObject [0xB379FDB6] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwCreateThread [0xB37A00FE] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwDebugActiveProcess [0xB36C7BA8] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwDeleteKey [0xB37A0472] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwDeleteValueKey [0xB37A0540] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwDeviceIoControlFile [0xB37A068C] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDuplicateObject [0xB385532C] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwEnumerateKey [0xB36D9327] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwEnumerateValueKey [0xB36D8232] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwFreeVirtualMemory [0xB36C7DDB] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwFsControlFile [0xB36CF603] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwInitiatePowerAction [0xB36CD62F] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwLoadDriver [0xB37A2062] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwMapViewOfSection [0xB37A2480] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwOpenFile [0xB37A2798] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwOpenKey [0xB37A2962] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwOpenProcess [0xB37A2974] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwOpenSection [0xB36CC5D7] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwOpenThread [0xB37A303E] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwProtectVirtualMemory [0xB37A30D2] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwQueryKey [0xB36D8886] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwQueryValueKey [0xB36C02A6] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwQueueApcThread [0xB37A30E4] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwRaiseHardError [0xB36CD668] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwRenameKey [0xB36C0C8D] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRequestPort [0xB3855CB0] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwRequestWaitReplyPort [0xB36CE307] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwRestoreKey [0xB36C054D] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwResumeThread [0xB38550CE] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwSecureConnectPort [0xB37A33E6] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwSetContextThread [0xB37A3452] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwSetSystemInformation [0xB37A378A] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwSetSystemPowerState [0xB36CD5F6] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwSetSystemTime [0xB36CD5B3] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwSetValueKey [0xB37A37F4] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwShutdownSystem [0xB36CCA6F] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwSuspendProcess [0xB36C7516] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwSuspendThread [0xB36C6ED4] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwSystemDebugControl [0xB36CCA9E] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwTerminateJobObject [0xB36C732C] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwTerminateProcess [0xB37A3BC6] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwTerminateThread [0xB36C7554] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwTestAlert [0xB36C8070] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwUnloadDriver [0xB3856518] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwUnmapViewOfSection [0xB36C7D80] SSDT \??\C:\WINDOWS\system32\drivers\kisknl.sys ZwWriteFile [0xB36CDE05] SSDT \??\C:\WINDOWS\system32\drivers\AntiLog32.sys ZwWriteVirtualMemory [0xB37A5CBA] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 24DC 80501D38 12 Bytes CALL F903A2AB .text ntkrnlpa.exe!ZwCallbackReturn + 27E4 80502040 12 Bytes [8A, 37, 7A, B3, F6, D5, 6C, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2818 80502074 28 Bytes [16, 75, 6C, B3, D4, 6E, 6C, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF52CD360, 0x37399D, 0xE8000020] init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF51D3F80] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!NtAcceptConnectPort 7C90CE5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!NtAcceptConnectPort + 4 7C90CE62 2 Bytes [67, 71] .text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[332] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [6A, 71] {PUSH 0x71} .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7171000A .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 02A15840 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A8000A .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716E000A .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!CreateProcessInternalW 7C819EA8 5 Bytes JMP 02A140E0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!CreateProcessInternalA 7C81DC46 5 Bytes JMP 02A144E0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!CopyFileExW 7C82925A 7 Bytes JMP 02A42B80 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 5 Bytes JMP 02A153F0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 5 Bytes JMP 02A15030 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!RegSetValueExA 77DCEAE7 7 Bytes JMP 02A16FA0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!InitiateSystemShutdownW 77E24C51 6 Bytes JMP 7198000A .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!InitiateSystemShutdownExW 77E24CE5 6 Bytes JMP 7192000A .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!InitiateSystemShutdownA 77E24D7F 6 Bytes JMP 719B000A .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!InitiateSystemShutdownExA 77E24E1A 6 Bytes JMP 7195000A .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718C000A .text C:\WINDOWS\Explorer.EXE[332] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7189000A .text C:\WINDOWS\Explorer.EXE[332] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717A000A .text C:\WINDOWS\Explorer.EXE[332] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 7177000A .text C:\WINDOWS\Explorer.EXE[332] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7180000A .text C:\WINDOWS\Explorer.EXE[332] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 717D000A .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!RegisterHotKey 7E36EBB3 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!RegisterHotKey + 4 7E36EBB7 2 Bytes [82, 71] .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 00F91040 C:\Program Files\Stardock\CursorFX\CurXP0.dll .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 00F911E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 00F91120 C:\Program Files\Stardock\CursorFX\CurXP0.dll .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 719E000A .text C:\WINDOWS\Explorer.EXE[332] USER32.dll!DdeClientTransaction 7E3BA6A2 6 Bytes JMP 7186000A .text C:\WINDOWS\Explorer.EXE[332] SHLWAPI.dll!SHRegGetUSValueW 77F68D02 5 Bytes JMP 02A14E90 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] NETAPI32.dll!NetScheduleJobAdd 6FF78725 6 Bytes JMP 7174000A .text C:\WINDOWS\Explorer.EXE[332] SHELL32.dll!StrStrW 7C9CFA5C 4 Bytes [04, 00, D3, 01] {ADD AL, 0x0; ROL [ECX], CL} .text C:\WINDOWS\Explorer.EXE[332] SHELL32.dll!ShellExecuteExW 7CA01E1B 5 Bytes JMP 02A13F80 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!socket 71A54211 6 Bytes JMP 71AF000A .text C:\WINDOWS\Explorer.EXE[332] IPHLPAPI.DLL!IcmpSendEcho2 76D5B73C 6 Bytes JMP 718F000A .text C:\Program Files\Online Armor\oasrv.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Online Armor\oasrv.exe[1068] user32.dll!LoadStringW 7E369E36 6 Bytes JMP 71A8000A .text C:\Program Files\Online Armor\oasrv.exe[1068] user32.dll!LoadStringA 7E37C908 6 Bytes JMP 71AF000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ntdll.dll!NtAcceptConnectPort 7C90CE5E 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ntdll.dll!NtAcceptConnectPort + 4 7C90CE62 2 Bytes [67, 71] .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [6A, 71] {PUSH 0x71} .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7171000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A1000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A8000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716E000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ADVAPI32.dll!InitiateSystemShutdownW 77E24C51 6 Bytes JMP 7198000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ADVAPI32.dll!InitiateSystemShutdownExW 77E24CE5 6 Bytes JMP 7192000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ADVAPI32.dll!InitiateSystemShutdownA 77E24D7F 6 Bytes JMP 719B000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ADVAPI32.dll!InitiateSystemShutdownExA 77E24E1A 6 Bytes JMP 7195000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718C000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7189000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717A000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 7177000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7180000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 717D000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] USER32.dll!RegisterHotKey 7E36EBB3 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] USER32.dll!RegisterHotKey + 4 7E36EBB7 2 Bytes [82, 71] .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] USER32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 719E000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] USER32.dll!DdeClientTransaction 7E3BA6A2 6 Bytes JMP 7186000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] WS2_32.dll!socket 71A54211 6 Bytes JMP 71AF000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] NETAPI32.dll!NetScheduleJobAdd 6FF78725 6 Bytes JMP 7174000A .text G:\INSTALATORY\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe[1208] IPHLPAPI.DLL!IcmpSendEcho2 76D5B73C 6 Bytes JMP 718F000A .text C:\Program Files\Online Armor\OAui.exe[2120] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Program Files\Online Armor\OAui.exe[2120] USER32.dll!LoadStringW 7E369E36 6 Bytes JMP 71A2000A .text C:\Program Files\Online Armor\OAui.exe[2120] USER32.dll!LoadStringA 7E37C908 6 Bytes JMP 71AF000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ntdll.dll!NtAcceptConnectPort 7C90CE5E 3 Bytes [FF, 25, 1E] .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ntdll.dll!NtAcceptConnectPort + 4 7C90CE62 2 Bytes [67, 71] .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E] .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [6A, 71] {PUSH 0x71} .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7171000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A1000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A8000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716E000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] USER32.dll!RegisterHotKey 7E36EBB3 3 Bytes [FF, 25, 1E] .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] USER32.dll!RegisterHotKey + 4 7E36EBB7 2 Bytes [82, 71] .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] USER32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 719E000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] USER32.dll!DdeClientTransaction 7E3BA6A2 6 Bytes JMP 7186000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717A000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 7177000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7180000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 717D000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ADVAPI32.dll!InitiateSystemShutdownW 77E24C51 6 Bytes JMP 7198000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ADVAPI32.dll!InitiateSystemShutdownExW 77E24CE5 6 Bytes JMP 7192000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ADVAPI32.dll!InitiateSystemShutdownA 77E24D7F 6 Bytes JMP 719B000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ADVAPI32.dll!InitiateSystemShutdownExA 77E24E1A 6 Bytes JMP 7195000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718C000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7189000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] SHELL32.dll!ShellExecuteW 7CAB614D 5 Bytes JMP 00408C04 C:\program files\kingsoft\kingsoft antivirus\kxetray.exe .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 7159000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!select 71A530A8 6 Bytes JMP 7156000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 7165000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!ioctlsocket 71A53F50 6 Bytes JMP 7153000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!socket 71A54211 6 Bytes JMP 71AF000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!connect 71A54A07 6 Bytes JMP 7162000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!send 71A54C27 6 Bytes JMP 715C000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 7147000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!recv 71A5676F 6 Bytes JMP 714B000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 7144000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!WSAAsyncSelect 71A60991 6 Bytes JMP 7150000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] WS2_32.dll!WSAGetOverlappedResult 71A60D1B 6 Bytes JMP 713E000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] NETAPI32.dll!NetScheduleJobAdd 6FF78725 6 Bytes JMP 7174000A .text C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[2220] IPHLPAPI.DLL!IcmpSendEcho2 76D5B73C 6 Bytes JMP 718F000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [58, 71] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 2 Bytes [52, 71] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [4C, 71] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7156000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7150000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A1000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A8000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] USER32.dll!RegisterHotKey 7E36EBB3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] USER32.dll!RegisterHotKey + 4 7E36EBB7 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] USER32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 719E000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] USER32.dll!DdeClientTransaction 7E3BA6A2 6 Bytes JMP 717D000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7171000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 716E000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7177000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7174000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ADVAPI32.dll!InitiateSystemShutdownW 77E24C51 6 Bytes JMP 7198000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ADVAPI32.dll!InitiateSystemShutdownExW 77E24CE5 6 Bytes JMP 7192000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ADVAPI32.dll!InitiateSystemShutdownA 77E24D7F 6 Bytes JMP 719B000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ADVAPI32.dll!InitiateSystemShutdownExA 77E24E1A 6 Bytes JMP 7195000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7183000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7180000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 7189000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ole32.dll!CoCreateInstance 774EF1BC 6 Bytes JMP 718C000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 7186000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] WS2_32.dll!socket 71A54211 6 Bytes JMP 71AF000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] NETAPI32.dll!NetScheduleJobAdd 6FF78725 6 Bytes JMP 7162000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[2368] IPHLPAPI.DLL!IcmpSendEcho2 76D5B73C 6 Bytes JMP 718F000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [61, 71] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 2 Bytes [5B, 71] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [55, 71] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715F000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7168000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7159000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A1000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A8000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7165000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ADVAPI32.dll!InitiateSystemShutdownW 77E24C51 6 Bytes JMP 7198000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ADVAPI32.dll!InitiateSystemShutdownExW 77E24CE5 6 Bytes JMP 7192000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ADVAPI32.dll!InitiateSystemShutdownA 77E24D7F 6 Bytes JMP 719B000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ADVAPI32.dll!InitiateSystemShutdownExA 77E24E1A 6 Bytes JMP 7195000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7183000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7180000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7171000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 716E000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7177000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7174000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] USER32.dll!RegisterHotKey 7E36EBB3 3 Bytes [FF, 25, 1E] .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] USER32.dll!RegisterHotKey + 4 7E36EBB7 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] USER32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 719E000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] USER32.dll!DdeClientTransaction 7E3BA6A2 6 Bytes JMP 717D000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 7189000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ole32.dll!CoCreateInstance 774EF1BC 6 Bytes JMP 718C000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 7186000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] WS2_32.dll!socket 71A54211 6 Bytes JMP 71AF000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] NETAPI32.dll!NetScheduleJobAdd 6FF78725 6 Bytes JMP 716B000A .text C:\Program Files\Stardock\CursorFX\CursorFX.exe[2860] IPHLPAPI.DLL!IcmpSendEcho2 76D5B73C 6 Bytes JMP 718F000A .text C:\Program Files\Online Armor\OAhlp.exe[3272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Online Armor\OAhlp.exe[3272] USER32.dll!LoadStringW 7E369E36 6 Bytes JMP 71A8000A .text C:\Program Files\Online Armor\OAhlp.exe[3272] USER32.dll!LoadStringA 7E37C908 6 Bytes JMP 71AF000A .text G:\INSTALATORY\gmer\gmer.exe[3612] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\gmer\gmer.exe[3612] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [61, 71] .text G:\INSTALATORY\gmer\gmer.exe[3612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\gmer\gmer.exe[3612] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 2 Bytes [5B, 71] .text G:\INSTALATORY\gmer\gmer.exe[3612] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\gmer\gmer.exe[3612] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [55, 71] .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715F000A .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7168000A .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7159000A .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A1000A .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A8000A .text G:\INSTALATORY\gmer\gmer.exe[3612] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7165000A .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!RegisterHotKey 7E36EBB3 3 Bytes [FF, 25, 1E] .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!RegisterHotKey + 4 7E36EBB7 2 Bytes [79, 71] {JNS 0x73} .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 00DC1040 C:\Program Files\Stardock\CursorFX\CurXP0.dll .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 00DC11E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!GetIconInfo 7E37D427 5 Bytes JMP 00DC1120 C:\Program Files\Stardock\CursorFX\CurXP0.dll .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 719E000A .text G:\INSTALATORY\gmer\gmer.exe[3612] user32.dll!DdeClientTransaction 7E3BA6A2 6 Bytes JMP 717D000A .text G:\INSTALATORY\gmer\gmer.exe[3612] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7171000A .text G:\INSTALATORY\gmer\gmer.exe[3612] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 716E000A .text G:\INSTALATORY\gmer\gmer.exe[3612] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7177000A .text G:\INSTALATORY\gmer\gmer.exe[3612] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7174000A .text G:\INSTALATORY\gmer\gmer.exe[3612] advapi32.dll!InitiateSystemShutdownW 77E24C51 6 Bytes JMP 7198000A .text G:\INSTALATORY\gmer\gmer.exe[3612] advapi32.dll!InitiateSystemShutdownExW 77E24CE5 6 Bytes JMP 7192000A .text G:\INSTALATORY\gmer\gmer.exe[3612] advapi32.dll!InitiateSystemShutdownA 77E24D7F 6 Bytes JMP 719B000A .text G:\INSTALATORY\gmer\gmer.exe[3612] advapi32.dll!InitiateSystemShutdownExA 77E24E1A 6 Bytes JMP 7195000A .text G:\INSTALATORY\gmer\gmer.exe[3612] advapi32.dll!CreateServiceA 77E27211 6 Bytes JMP 7183000A .text G:\INSTALATORY\gmer\gmer.exe[3612] advapi32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7180000A .text G:\INSTALATORY\gmer\gmer.exe[3612] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 7189000A .text G:\INSTALATORY\gmer\gmer.exe[3612] ole32.dll!CoCreateInstance 774EF1BC 6 Bytes JMP 718C000A .text G:\INSTALATORY\gmer\gmer.exe[3612] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 7186000A .text G:\INSTALATORY\gmer\gmer.exe[3612] WS2_32.dll!socket 71A54211 6 Bytes JMP 71AF000A .text G:\INSTALATORY\gmer\gmer.exe[3612] NETAPI32.dll!NetScheduleJobAdd 6FF78725 6 Bytes JMP 716B000A .text G:\INSTALATORY\gmer\gmer.exe[3612] IPHLPAPI.DLL!IcmpSendEcho2 76D5B73C 6 Bytes JMP 718F000A ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs kisknl.sys Device \Driver\Tcpip \Device\Ip OAmon.sys AttachedDevice \Driver\Tcpip \Device\Ip kdhacker.sys Device \Driver\Tcpip \Device\Tcp OAmon.sys AttachedDevice \Driver\Tcpip \Device\Tcp kdhacker.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 BTOWSVF.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 BTOWSVF.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 BTOWSVF.sys Device \Driver\Tcpip \Device\Udp OAmon.sys AttachedDevice \Driver\Tcpip \Device\Udp kdhacker.sys Device \Driver\Tcpip \Device\RawIp OAmon.sys AttachedDevice \Driver\Tcpip \Device\RawIp kdhacker.sys Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat kisknl.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG16.00.00.01PROFESSIONAL C380BF454D793E9F8C072EA0CCC47EE63EE136F06F36F719C8EC513ADF1954054AC8AEAED8DFDBF95FE3AABDDE708E6C4D889B444B7A9625F202E8BBAA6807F88FCCF082EB53709CD4DBC3B4D692BE05FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A2D97226D213B555A6A0AC4980AC7933A9C6AECB7A5D1407B8822F46CBBD63AA8146ED5A633ED4AECE96010E0DBF6FC60F90D7C12832B280D92C641EBD5DA4337F7C4FF3786D2ED87006831E768FCB00F49E877661158D4B2BDEA35FD9B9EAF962A85C5B3AE0DE8F3737B8AC9CFADBF790BE5D953D698BD061A473979FFB5AAE393E61CB12F9E281ACA4D1C8763F917F8B95111FDF61AF25DFE92F557FF1AD464711FB855E3F46A514AC52046EBA6DAC442B2A1362D61320447D04AADD0BB0F685DA23CD705BACB460129473E26F08D8CAE8087A4FC3625BDB9575B115DC45BE9E391C6E10994B2D3B7A44B027060C24E520DA5EA6C85CB628495B8471A1615D72AD8332F5EDEECC80F062D983C6B96E0F042B4EDDA957566116DFC333B48CD5131EC9EACF6EF29C40E3C310B0A3E2DFF2A9CFDC5C4FB91FF15C8013119666724BD2B1EB41D3CBE23F2612F860AC7061738F7820FD4401BE76DF911933ED1EBC13F8D38FDEFC7DAEF6ECC73FB39B5CA12714263212B93D2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG17.00.00.01PROFESSIONAL 89A61634094F7D5066BB6CA90759ECF3AF863560902A692C2859430135676DB2128A298CCEEE214D636CD97538B0448B8090D7040D5D28D7905DFC1489DEBA59D16FC89BE9AA20A114CE4602635ADD2F2FF97C492CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A2D97226D213B555A6171C11EC38DE3DA6A0AC4980AC7933CCC201239E580705496B0E35C89F2EB5F8028ECF7C6E998BABC7A63D3E9260DF01DF6DBAC80594EC83F5EFF78C68E7D39B79FDA60B04A9B442E64F16765A0E5398247164A74643CD396A07BBE2355DE66DC05B216DE28D5427853FD16D2FAAB04A8ABCB3A5000B65CCBD98D3F333A9BAA1651EF2A621A36C77E9C1A4A5B07B4942B093FEE0F8B4751706FCD798F0BB27DC96D4946FB79F00C6FC3B0852E097741E5ACBDE2ADCDD466300A0225F655601B62AA0C132848A9798CE2038DC26EC0CF1EED03286BAF721F18B83510C6610A3BD1AB77C8FC8BEC06A8EFC3860CBBDEBC4F8231B31864A55F7AD39CA1432D2F07302E10659AAEC8CA613ED4B2F7E9BF61126548094976DB51C8CEAB22268DF4B4AA17C6899B1190FB157277B4DD0F113C5CA8C0B56294F98FA7454F6150E479AAD6079EF094C99E060F76D17F2B97DA846DD882AC85932D7A456C6447F8AF04A7A465E2B19CB1B1F7DB79 Reg HKLM\SOFTWARE\Classes\CLSID\{68f253e3-7bc7-45c9-aee2-b645c4fd883c}@Model 214 Reg HKLM\SOFTWARE\Classes\CLSID\{68f253e3-7bc7-45c9-aee2-b645c4fd883c}@Therad 28 Reg HKLM\SOFTWARE\Classes\CLSID\{68f253e3-7bc7-45c9-aee2-b645c4fd883c}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x91 0x22 0xC7 0x02 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DD22BAF-398F-D784-7677-819BD27F8A49} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DD22BAF-398F-D784-7677-819BD27F8A49}@jahcmggfdkmcdnppchbi 0x62 0x61 0x61 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DD22BAF-398F-D784-7677-819BD27F8A49}@jahcmggfdkmcdnppchnh 0x62 0x61 0x66 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DD22BAF-398F-D784-7677-819BD27F8A49}@iahdpahieodkedhhci 0x6B 0x61 0x63 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DD22BAF-398F-D784-7677-819BD27F8A49}@habdfaallcgoflag 0x6B 0x61 0x63 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F0EF90C-6758-D3D4-CA93-A8FEABF329D6} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F0EF90C-6758-D3D4-CA93-A8FEABF329D6}@ablilppfmkfmjhanngigmifnjlpjcjfiho 0x69 0x61 0x6B 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4F0EF90C-6758-D3D4-CA93-A8FEABF329D6}@mamiomniglnikgolcihlfelpgj 0x6F 0x61 0x6C 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5249B254-DBF6-3B28-8396-C2057515262D} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5249B254-DBF6-3B28-8396-C2057515262D}@iadabjfgnemglnajeg 0x6B 0x61 0x70 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5249B254-DBF6-3B28-8396-C2057515262D}@hafbhmhijampkkge 0x6B 0x61 0x70 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5249B254-DBF6-3B28-8396-C2057515262D}@hapbjchfjfndjjfg 0x61 0x62 0x63 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5249B254-DBF6-3B28-8396-C2057515262D}@jaobecnoagkikegnhjbl 0x64 0x62 0x63 0x61 ... ---- EOF - GMER 2.1 ----