GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-11 13:09:21 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000067 Hitachi_ rev.PB4O 465,76GB Running: qm5egzer.exe; Driver: C:\Users\leszek\AppData\Local\Temp\aftcraog.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwCreateThread [0x9398CECC] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x9398CEE6] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x9398CBEE] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwOpenSection [0x9398D084] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwRenameKey [0x9398E436] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwSuspendProcess [0x9398CA6C] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwSuspendThread [0x9398CF00] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwTerminateProcess [0x9398C9C6] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwTerminateThread [0x9398CB26] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x9398CFC8] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83288A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832C2392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 832C96E8 8 Bytes [CC, CE, 98, 93, E6, CE, 98, ...] {INT 3 ; INTO ; CWDE ; XCHG EBX, EAX; OUT 0xce, AL; CWDE ; XCHG EBX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1347 832C982C 4 Bytes [EE, CB, 98, 93] {OUT DX, AL; RETF ; CWDE ; XCHG EBX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 832C9894 4 Bytes [84, D0, 98, 93] {TEST AL, DL; CWDE ; XCHG EBX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 152F 832C9A14 4 Bytes [36, E4, 98, 93] {IN AL, 0x98; XCHG EBX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 832C9B44 8 Bytes [6C, CA, 98, 93, 00, CF, 98, ...] {INS BYTE [ES:EDI], DX; RETF 0x9398; ADD BH, CL; CWDE ; XCHG EBX, EAX} .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8AF2DB2E] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[388] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 001F000C .text C:\Windows\system32\svchost.exe[388] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 001F100C .text C:\Windows\system32\svchost.exe[388] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 001F200C .text C:\Windows\system32\svchost.exe[388] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 001FE00C .text C:\Windows\system32\svchost.exe[388] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 001FC00C .text C:\Windows\system32\svchost.exe[388] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 001FF00C .text C:\Windows\system32\svchost.exe[388] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 001F400C .text C:\Windows\system32\svchost.exe[388] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 001F300C .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[396] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 004D000C .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[396] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 004D100C .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[396] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 004D200C .text C:\Windows\system32\lsm.exe[516] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0017000C .text C:\Windows\system32\lsm.exe[516] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0017100C .text C:\Windows\system32\lsm.exe[516] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0017200C .text C:\Windows\system32\lsm.exe[516] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0017C00C .text C:\Windows\system32\lsm.exe[516] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0017A00C .text C:\Windows\system32\lsm.exe[516] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0017D00C .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0037000C .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0037100C .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0037200C .text C:\Windows\system32\svchost.exe[680] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0037E00C .text C:\Windows\system32\svchost.exe[680] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0037C00C .text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0037F00C .text C:\Windows\system32\svchost.exe[680] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0037400C .text C:\Windows\system32\svchost.exe[680] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0037300C .text C:\Windows\system32\Dwm.exe[708] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0010000C .text C:\Windows\system32\Dwm.exe[708] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0010100C .text C:\Windows\system32\Dwm.exe[708] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0010200C .text C:\Windows\system32\Dwm.exe[708] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0010E00C .text C:\Windows\system32\Dwm.exe[708] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0010C00C .text C:\Windows\system32\Dwm.exe[708] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0010F00C .text C:\Windows\system32\Dwm.exe[708] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0010400C .text C:\Windows\system32\Dwm.exe[708] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0010300C .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0017000C .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0017100C .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0017200C .text C:\Windows\system32\nvvsvc.exe[740] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0017E00C .text C:\Windows\system32\nvvsvc.exe[740] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0017C00C .text C:\Windows\system32\nvvsvc.exe[740] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0017F00C .text C:\Windows\system32\nvvsvc.exe[740] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0017400C .text C:\Windows\system32\nvvsvc.exe[740] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0017300C .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0022000C .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0022100C .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0022200C .text C:\Windows\system32\svchost.exe[780] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0022E00C .text C:\Windows\system32\svchost.exe[780] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0022C00C .text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0022F00C .text C:\Windows\system32\svchost.exe[780] user32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0022400C .text C:\Windows\system32\svchost.exe[780] user32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0022300C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[796] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0030000C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[796] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0030100C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[796] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0030200C .text C:\Windows\System32\svchost.exe[884] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 002B000C .text C:\Windows\System32\svchost.exe[884] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 002B100C .text C:\Windows\System32\svchost.exe[884] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 002B200C .text C:\Windows\System32\svchost.exe[884] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 002BE00C .text C:\Windows\System32\svchost.exe[884] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 002BC00C .text C:\Windows\System32\svchost.exe[884] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 002BF00C .text C:\Windows\System32\svchost.exe[884] user32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 002B400C .text C:\Windows\System32\svchost.exe[884] user32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 002B300C .text C:\Windows\System32\svchost.exe[892] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 00F5000C .text C:\Windows\System32\svchost.exe[892] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 00F5100C .text C:\Windows\System32\svchost.exe[892] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 00F5200C .text C:\Windows\System32\svchost.exe[892] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 00F5E00C .text C:\Windows\System32\svchost.exe[892] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 00F5C00C .text C:\Windows\System32\svchost.exe[892] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 00F5F00C .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 00F5400C .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 00F5300C .text C:\Windows\System32\svchost.exe[936] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0106000C .text C:\Windows\System32\svchost.exe[936] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0106100C .text C:\Windows\System32\svchost.exe[936] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0106200C .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0106E00C .text C:\Windows\System32\svchost.exe[936] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0106C00C .text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0106F00C .text C:\Windows\System32\svchost.exe[936] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0106400C .text C:\Windows\System32\svchost.exe[936] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0106300C .text C:\Windows\system32\svchost.exe[984] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0051000C .text C:\Windows\system32\svchost.exe[984] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0051100C .text C:\Windows\system32\svchost.exe[984] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0051200C .text C:\Windows\system32\svchost.exe[984] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0051E00C .text C:\Windows\system32\svchost.exe[984] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0051C00C .text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0051F00C .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0051400C .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0051300C .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 009B000C .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 009B100C .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 009B200C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 009BE00C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 009BC00C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 009BF00C .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 009B400C .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 009B300C .text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0009000C .text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0009100C .text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0009200C .text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0009E00C .text C:\Windows\system32\svchost.exe[1116] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0009C00C .text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0009F00C .text C:\Windows\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0009400C .text C:\Windows\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0009300C .text C:\Windows\system32\svchost.exe[1252] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0031000C .text C:\Windows\system32\svchost.exe[1252] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0031100C .text C:\Windows\system32\svchost.exe[1252] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0031200C .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0031E00C .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0031C00C .text C:\Windows\system32\svchost.exe[1252] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0031F00C .text C:\Windows\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0031400C .text C:\Windows\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0031300C .text C:\Windows\system32\svchost.exe[1500] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 00A3000C .text C:\Windows\system32\svchost.exe[1500] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 00A3100C .text C:\Windows\system32\svchost.exe[1500] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 00A3200C .text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 00A3E00C .text C:\Windows\system32\svchost.exe[1500] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 00A3C00C .text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 00A3F00C .text C:\Windows\system32\svchost.exe[1500] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 00A3400C .text C:\Windows\system32\svchost.exe[1500] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 00A3300C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 000F000C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 000F100C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 000F200C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 000FE00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 000FC00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 000FF00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 000F400C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1584] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 000F300C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0008000C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0008100C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0008200C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0008E00C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0008C00C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0008F00C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0008400C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1604] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0008300C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 000E000C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 000E100C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 000E200C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 000EE00C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 000EC00C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 000EF00C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 000E400C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 000E300C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0060000C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0060100C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0060200C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0060E00C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0060C00C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0060F00C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] user32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0060400C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1728] user32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0060300C .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0018000C .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0018100C .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0018200C .text C:\Windows\system32\svchost.exe[1760] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0018E00C .text C:\Windows\system32\svchost.exe[1760] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0018C00C .text C:\Windows\system32\svchost.exe[1760] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0018F00C .text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0018400C .text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0018300C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 00ED000C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 00ED100C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 00ED200C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 00EDE00C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 00EDC00C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 00EDF00C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 00ED400C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2056] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 00ED300C .text C:\Windows\system32\winlogon.exe[2440] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0038000C .text C:\Windows\system32\winlogon.exe[2440] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0038100C .text C:\Windows\system32\winlogon.exe[2440] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0038200C .text C:\Windows\system32\winlogon.exe[2440] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0038E00C .text C:\Windows\system32\winlogon.exe[2440] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0038C00C .text C:\Windows\system32\winlogon.exe[2440] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0038F00C .text C:\Windows\system32\winlogon.exe[2440] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0038400C .text C:\Windows\system32\winlogon.exe[2440] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0038300C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2756] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 000E000C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2756] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 000E100C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2756] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 000E200C .text C:\Program Files\Internet Explorer\iexplore.exe[3372] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 002F000C .text C:\Program Files\Internet Explorer\iexplore.exe[3372] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 002F100C .text C:\Program Files\Internet Explorer\iexplore.exe[3372] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 002F200C .text C:\Windows\system32\nvvsvc.exe[4604] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 003D000C .text C:\Windows\system32\nvvsvc.exe[4604] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 003D100C .text C:\Windows\system32\nvvsvc.exe[4604] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 003D200C .text C:\Windows\Explorer.EXE[4656] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0025000C .text C:\Windows\Explorer.EXE[4656] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0025100C .text C:\Windows\Explorer.EXE[4656] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0025200C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4804] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0008000C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4804] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0008100C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4804] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0008200C .text C:\Windows\system32\svchost.exe[4996] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0027000C .text C:\Windows\system32\svchost.exe[4996] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0027100C .text C:\Windows\system32\svchost.exe[4996] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0027200C .text C:\Windows\system32\svchost.exe[4996] kernel32.dll!CopyFileExW 774DB348 5 Bytes JMP 0027E00C .text C:\Windows\system32\svchost.exe[4996] kernel32.dll!OpenMutexA 774E04DA 5 Bytes JMP 0027C00C .text C:\Windows\system32\svchost.exe[4996] kernel32.dll!CreateDirectoryExW 77527D09 5 Bytes JMP 0027F00C .text C:\Windows\system32\svchost.exe[4996] USER32.dll!SetWindowsHookExW 77DDE30C 5 Bytes JMP 0027400C .text C:\Windows\system32\svchost.exe[4996] USER32.dll!SetWindowsHookExA 77E06D0C 5 Bytes JMP 0027300C .text C:\Program Files\Windows Sidebar\sidebar.exe[5108] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 0015000C .text C:\Program Files\Windows Sidebar\sidebar.exe[5108] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 0015100C .text C:\Program Files\Windows Sidebar\sidebar.exe[5108] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 0015200C .text C:\Program Files\Internet Explorer\iexplore.exe[6060] ntdll.dll!NtCreateProcess 77CB56D8 5 Bytes JMP 000A000C .text C:\Program Files\Internet Explorer\iexplore.exe[6060] ntdll.dll!NtCreateProcessEx 77CB56E8 5 Bytes JMP 000A100C .text C:\Program Files\Internet Explorer\iexplore.exe[6060] ntdll.dll!NtCreateUserProcess 77CB57B8 5 Bytes JMP 000A200C ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 857AB1E8 Device \Driver\usbohci \Device\USBPDO-0 86AF41E8 Device \Driver\usbehci \Device\USBPDO-1 86AF51E8 Device \Driver\usbohci \Device\USBPDO-2 86AF41E8 Device \Driver\usbehci \Device\USBPDO-3 86AF51E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{CA7F49B6-8827-458E-95F7-8ED5540875D1} 86A97430 Device \Driver\cdrom \Device\CdRom0 869FE1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0BF538B0-3B30-4F9A-8DAA-7B97DE03BF83} 86A97430 Device \Driver\nvstor32 \Device\00000067 857A91E8 Device \Driver\nvstor32 \Device\00000068 857A91E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86A97430 Device \Driver\NetBT \Device\NetBT_Tcpip_{BCDB82E0-0CC2-43CF-A2B8-23F9529BE56B} 86A97430 Device \Driver\nvstor32 \Device\RaidPort0 857A91E8 Device \Driver\usbohci \Device\USBFDO-0 86AF41E8 Device \Driver\usbehci \Device\USBFDO-1 86AF51E8 Device \Driver\usbohci \Device\USBFDO-2 86AF41E8 Device \Driver\usbehci \Device\USBFDO-3 86AF51E8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x857a91e8]<< 857a91e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867151c8] 867151c8 Trace 3 CLASSPNP.SYS[8b59c59e] -> nt!IofCallDriver -> [0x865319e8] 865319e8 Trace 5 ACPI.sys[8af5a3d4] -> nt!IofCallDriver -> \Device\00000067[0x864d43e8] 864d43e8 Trace \Driver\nvstor32[0x864ce5c8] -> IRP_MJ_CREATE -> 0x857a91e8 857a91e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@0025489c1a06 0xE0 0x29 0x8F 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBA 0x62 0x7D 0x86 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@0025489c1a06 0xE0 0x29 0x8F 0xDA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBA 0x62 0x7D 0x86 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@8BD99990 2478 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ... ---- EOF - GMER 2.1 ----