GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-31 07:22:12 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925082 rev.3.CM 232,89GB Running: f354zgvi.exe; Driver: C:\Users\marek\AppData\Local\Temp\pwdoypog.sys ---- System - GMER 2.1 ---- INT 0x51 ? 85D33BF8 INT 0x51 ? 8782CF00 INT 0x51 ? 8782CF00 INT 0x51 ? 85D33BF8 INT 0x72 ? 8782CF00 INT 0x82 ? 8782CF00 INT 0x92 ? 8782CF00 INT 0xA2 ? 8782CF00 INT 0xA2 ? 8782CF00 ---- Kernel code sections - GMER 2.1 ---- ? System32\Drivers\spfj.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC0D340, 0x3E9407, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1596] ntdll.dll!RtlExitUserThread 77B71CFB 5 Bytes JMP 6D21F0EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] kernel32.dll!TerminateThread 77A944DB 5 Bytes JMP 6D21F105 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] kernel32.dll!CreateThread 77A9CBEE 5 Bytes JMP 6D0874FB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!EnableWindow 761FCD8B 5 Bytes JMP 6D0CA2AC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DefWindowProcA 761FDB88 7 Bytes JMP 6D08972D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!CreateWindowExA 761FDC2A 5 Bytes JMP 6D09354B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!CreateWindowExW 76201305 5 Bytes JMP 6D0F005B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DefWindowProcW 762103B4 7 Bytes JMP 6D0E7D32 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxParamW 762210B0 5 Bytes JMP 6D02190B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxIndirectParamW 76222EF5 5 Bytes JMP 6D21EA9A C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxParamA 76238152 5 Bytes JMP 6D21EA35 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxIndirectParamA 7623847D 5 Bytes JMP 6D21EAFF C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxIndirectA 7624D4D9 5 Bytes JMP 6D21E9BC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxIndirectW 7624D5D3 5 Bytes JMP 6D21E943 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxExA 7624D639 5 Bytes JMP 6D21E8DF C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxExW 7624D65D 5 Bytes JMP 6D21E87B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] ole32.dll!OleLoadFromStream 772F1E80 5 Bytes JMP 6D21F2E1 C:\Windows\system32\IEFRAME.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [KERNEL32.dll!CreateProcessW] [77B1E600] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [75097817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [750D5EFD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7509BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7508F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [750975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7508E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [750E92D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7509DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7508FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7508FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [750871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7511CB4D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [750BC840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7508D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [75086853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7508687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[4076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [75092AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 85D341F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\volmgr \Device\VolMgrControl 8539B1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iastor.sys spfj.sys >>UNKNOWN [0x85cec938]<< 85cec938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87044ac8] 87044ac8 Trace 3 CLASSPNP.SYS[8afd18b3] -> nt!IofCallDriver -> [0x85dd2918] 85dd2918 Trace 5 acpi.sys[82e0c6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85d9b028] 85d9b028 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@8c3ae3df8e2f 0x22 0xA1 0xC2 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@502e5c7a81fd 0xE3 0xF1 0x64 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x07 0x66 0xF1 0x26 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@8c3ae3df8e2f 0x22 0xA1 0xC2 0xC0 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@502e5c7a81fd 0xE3 0xF1 0x64 0x4A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x07 0x66 0xF1 0x26 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\RRbackups\C 0 bytes File C:\RRbackups\common 0 bytes File C:\RRbackups\common\backups.dat 8192 bytes File C:\RRbackups\common\bmgrmode.dat 29 bytes File C:\RRbackups\common\css.dat 8192 bytes File C:\RRbackups\common\hints.dat 8192 bytes File C:\RRbackups\common\mnd.dat 8192 bytes File C:\RRbackups\common\regcerts.dat 8192 bytes File C:\RRbackups\common\restore.log 110 bytes File C:\RRbackups\common\rr.log 310769 bytes File C:\RRbackups\common\rr_bcdenum.dat 4609 bytes File C:\RRbackups\common\SAM 262144 bytes File C:\RRbackups\common\seccache.dat 8192 bytes File C:\RRbackups\common\secpolicy.dat 28672 bytes File C:\RRbackups\common\settings.dat 32768 bytes File C:\RRbackups\common\system.dat 12288 bytes File C:\RRbackups\common\tvtcmn.dat 8192 bytes File C:\RRbackups\common\tvtns.bin 23 bytes File C:\RRbackups\common\usersids.dat 21840 bytes File C:\RRbackups\Documents and Settings 0 bytes File C:\RRbackups\Documents and Settings\Administrator 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-500\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 77 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500\f209e1c6-e19a-4e81-806e-a0fb1fc39c7f 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500\1e617109-803e-4be7-9818-0d7338a89cf9 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\marek 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\22296ea5bcbaac0e7e6cac8ee21ae6d8_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1301 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\5550e7cb640347345a345c63aa7a6848_ad18dae1-ed09-4d09-be99-7f96ddc5d568 59 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\62a45886e06c7d046ea8b819bec0598a_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\64823036320bd02b6b09186b90099f5d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 46 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\6b29ae44e85efac3c72ff4d1865d73f1_ad18dae1-ed09-4d09-be99-7f96ddc5d568 53 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\83aa4cc77f591dfc2374580bbd95f6ba_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\89facafc0026437efa3c336e003f3316_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1311 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\8f71098770f72c7a67cd8f1151619865_ad18dae1-ed09-4d09-be99-7f96ddc5d568 54 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\90465be05b8939c84e21979d69c28c0b_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1294 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 77 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\a64731a25811fa88f16bf243447fbb69_ad18dae1-ed09-4d09-be99-7f96ddc5d568 65 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\dd508fb67e3df5d722d6ce98ff404371_ad18dae1-ed09-4d09-be99-7f96ddc5d568 63 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\7af7b86a-46df-4601-aa13-5dc1af526cc6 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\aa05138d-445b-410c-872a-71eeda8eda23 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\11f4c52e-8f9e-4c96-a938-b4897d9cca6a 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\15d2caad-9a5c-4794-89ce-6610631656b7 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\44ff3299-100d-4da3-b232-533418ad5e52 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\45e598ba-36e4-4c82-9654-4f6a85595a01 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\4bc9725b-ee04-4570-ba63-c2e59b52c16b 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\558777e6-e2d0-4b42-8020-0340931dfbee 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\7575f1b0-58a4-4f9f-af63-96d06bbfd165 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\8014ad1e-876c-4993-bac0-4555e1bb9cc5 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\89a51020-f432-45ce-8d68-a0475934c6d2 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\982516f1-5e90-4fba-b7b2-88d2f059b413 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\9b316cad-6698-476a-977e-9c9b1afd3a6f 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\9ef0d5ac-f89b-4750-94fd-50cd2ddcbc26 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\a32f5dc3-5bad-4bfe-b51e-fae93391570f 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\a4cc1a2c-380d-49c9-8b81-693f3119bb46 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\b75efed0-5f47-4962-a13e-9f9bf64ac151 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\be8e66a5-5463-4a2a-a5ab-a91a396ac179 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\c5032c90-3888-4c84-a1f2-46712f1e1c00 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\c9b30038-a00f-4277-9687-48d27ba3bfb7 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\ccbc6ea8-cdfc-45fb-9531-0d62912ef565 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\da121dd6-1e30-4ab3-915c-c6c52521e9f3 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\dc1a2530-0c1a-465c-9f2b-ded409de93f3 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\e7d86958-5282-4c6c-8de2-56a0b1488dec 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\efe5a180-27fa-4079-a366-e28dc345555d 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\f9b9965f-2a53-4616-97e4-10ba9329ffe6 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\87705B8E2DEBBBC68C7359881FED73527C8F6F4D 1010 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Keys 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F2167802900C3689B22CA29A271BBA4C76B76266 152 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\CRLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\CTLs 0 bytes File C:\RRbackups\ProgramData 0 bytes File C:\RRbackups\ProgramData\Lenovo 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\ProgramData\Microsoft 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\025534d3b58679fb8e58cab0d2477dfa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1757 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2a4ad61fa149c392e4743d21f2b24756_ad18dae1-ed09-4d09-be99-7f96ddc5d568 2087 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\89facafc0026437efa3c336e003f3316_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1319 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8d2450622ab7fcd10abb073fb349a251_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1319 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 907 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d013304477f3689e5815d4051f89c4af_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1313 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ec0d180d427673e2fc3a72cb659934ca_ad18dae1-ed09-4d09-be99-7f96ddc5d568 913 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6b29ae44e85efac3c72ff4d1865d73f1_ad18dae1-ed09-4d09-be99-7f96ddc5d568 53 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_ad18dae1-ed09-4d09-be99-7f96ddc5d568 47 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_ad18dae1-ed09-4d09-be99-7f96ddc5d568 54 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b973ec0ff915c48a18fe09064ce3a22d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 56 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_ad18dae1-ed09-4d09-be99-7f96ddc5d568 899 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\dd508fb67e3df5d722d6ce98ff404371_ad18dae1-ed09-4d09-be99-7f96ddc5d568 63 bytes File C:\RRbackups\Q 0 bytes File C:\RRbackups\S 0 bytes File C:\RRbackups\SIS 0 bytes File C:\RRbackups\SIS\C 0 bytes File C:\RRbackups\SIS\Q 0 bytes File C:\RRbackups\SIS\S 0 bytes File C:\Users\marek\AppData\Local\Temp\363A.bin 434 bytes ---- EOF - GMER 2.1 ----