GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-02 20:56:31 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000068 Hitachi_ rev.PB4O 465,76GB Running: mgm312ko.exe; Driver: C:\Users\leszek\AppData\Local\Temp\aftcraog.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwCreateThread [0x92F9AFAA] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x92F9AFC4] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x92F9ACCC] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwOpenSection [0x92F9B162] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwRenameKey [0x92F9C514] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwSuspendProcess [0x92F9AB4A] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwSuspendThread [0x92F9AFDE] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwTerminateProcess [0x92F9AAA4] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwTerminateThread [0x92F9AC04] SSDT \??\C:\Program Files\Pakiet Bezpieczenstwa UPC\apps\ComputerSecurity\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x92F9B0A6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestPort + 14AD 8325CBB5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83296B92 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 8329E0C8 8 Bytes [AA, AF, F9, 92, C4, AF, F9, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1347 8329E20C 4 Bytes [CC, AC, F9, 92] {INT 3 ; LODSB ; STC ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 8329E274 4 Bytes [62, B1, F9, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 152F 8329E3F4 4 Bytes [14, C5, F9, 92] {ADC AL, 0xc5; STC ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 8329E524 8 Bytes [4A, AB, F9, 92, DE, AF, F9, ...] .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8AF25B2E] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsm.exe[520] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 000A000C .text C:\Windows\system32\lsm.exe[520] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 000A100C .text C:\Windows\system32\lsm.exe[520] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 000A200C .text C:\Windows\system32\lsm.exe[520] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 000AC00C .text C:\Windows\system32\lsm.exe[520] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 000AA00C .text C:\Windows\system32\lsm.exe[520] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 000AD00C .text C:\Windows\system32\svchost.exe[624] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0025000C .text C:\Windows\system32\svchost.exe[624] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0025100C .text C:\Windows\system32\svchost.exe[624] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0025200C .text C:\Windows\system32\svchost.exe[624] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0025E00C .text C:\Windows\system32\svchost.exe[624] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0025C00C .text C:\Windows\system32\svchost.exe[624] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0025F00C .text C:\Windows\system32\svchost.exe[624] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0025400C .text C:\Windows\system32\svchost.exe[624] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0025300C .text C:\Windows\system32\nvvsvc.exe[688] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0020000C .text C:\Windows\system32\nvvsvc.exe[688] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0020100C .text C:\Windows\system32\nvvsvc.exe[688] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0020200C .text C:\Windows\system32\nvvsvc.exe[688] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0020E00C .text C:\Windows\system32\nvvsvc.exe[688] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0020C00C .text C:\Windows\system32\nvvsvc.exe[688] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0020F00C .text C:\Windows\system32\nvvsvc.exe[688] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0020400C .text C:\Windows\system32\nvvsvc.exe[688] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0020300C .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0038000C .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0038100C .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0038200C .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0038E00C .text C:\Windows\system32\svchost.exe[728] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0038C00C .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0038F00C .text C:\Windows\system32\svchost.exe[728] user32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0038400C .text C:\Windows\system32\svchost.exe[728] user32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0038300C .text C:\Windows\System32\svchost.exe[788] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 00A7000C .text C:\Windows\System32\svchost.exe[788] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 00A7100C .text C:\Windows\System32\svchost.exe[788] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 00A7200C .text C:\Windows\System32\svchost.exe[788] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 00A7E00C .text C:\Windows\System32\svchost.exe[788] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 00A7C00C .text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 00A7F00C .text C:\Windows\System32\svchost.exe[788] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 00A7400C .text C:\Windows\System32\svchost.exe[788] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 00A7300C .text C:\Windows\System32\svchost.exe[820] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 009D000C .text C:\Windows\System32\svchost.exe[820] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 009D100C .text C:\Windows\System32\svchost.exe[820] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 009D200C .text C:\Windows\System32\svchost.exe[820] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 009DE00C .text C:\Windows\System32\svchost.exe[820] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 009DC00C .text C:\Windows\System32\svchost.exe[820] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 009DF00C .text C:\Windows\System32\svchost.exe[820] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 009D400C .text C:\Windows\System32\svchost.exe[820] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 009D300C .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0042000C .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0042100C .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0042200C .text C:\Windows\system32\svchost.exe[852] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0042E00C .text C:\Windows\system32\svchost.exe[852] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0042C00C .text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0042F00C .text C:\Windows\system32\svchost.exe[852] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0042400C .text C:\Windows\system32\svchost.exe[852] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0042300C .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 00A4000C .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 00A4100C .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 00A4200C .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 00A4E00C .text C:\Windows\system32\svchost.exe[876] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 00A4C00C .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 00A4F00C .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 00A4400C .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 00A4300C .text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 001E000C .text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 001E100C .text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 001E200C .text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 001EE00C .text C:\Windows\system32\svchost.exe[1008] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 001EC00C .text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 001EF00C .text C:\Windows\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 001E400C .text C:\Windows\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 001E300C .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0029000C .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0029100C .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0029200C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0029E00C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0029C00C .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0029F00C .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0029400C .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0029300C .text C:\Windows\system32\winlogon.exe[1088] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 001C000C .text C:\Windows\system32\winlogon.exe[1088] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 001C100C .text C:\Windows\system32\winlogon.exe[1088] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 001C200C .text C:\Windows\system32\winlogon.exe[1088] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 001CE00C .text C:\Windows\system32\winlogon.exe[1088] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 001CC00C .text C:\Windows\system32\winlogon.exe[1088] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 001CF00C .text C:\Windows\system32\winlogon.exe[1088] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 001C400C .text C:\Windows\system32\winlogon.exe[1088] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 001C300C .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 00AC000C .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 00AC100C .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 00AC200C .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 00ACE00C .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 00ACC00C .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 00ACF00C .text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 00AC400C .text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 00AC300C .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 00AF000C .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 00AF100C .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 00AF200C .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 00AFE00C .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 00AFC00C .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 00AFF00C .text C:\Windows\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 00AF400C .text C:\Windows\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 00AF300C .text C:\Windows\system32\nvvsvc.exe[1476] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0047000C .text C:\Windows\system32\nvvsvc.exe[1476] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0047100C .text C:\Windows\system32\nvvsvc.exe[1476] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0047200C .text C:\Windows\system32\nvvsvc.exe[1476] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0047E00C .text C:\Windows\system32\nvvsvc.exe[1476] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0047C00C .text C:\Windows\system32\nvvsvc.exe[1476] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0047F00C .text C:\Windows\system32\nvvsvc.exe[1476] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0047400C .text C:\Windows\system32\nvvsvc.exe[1476] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0047300C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0017000C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0017100C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0017200C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0017E00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0017C00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0017F00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0017400C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0017300C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0034000C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0034100C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0034200C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0034E00C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0034C00C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0034F00C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0034400C .text C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1600] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0034300C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 004F000C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 004F100C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 004F200C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 004FE00C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 004FC00C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 004FF00C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 004F400C .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1628] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 004F300C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0028000C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0028100C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0028200C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0028E00C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0028C00C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0028F00C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] user32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0028400C .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\DfsdkS.exe[1708] user32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0028300C .text C:\Windows\System32\svchost.exe[1736] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0024000C .text C:\Windows\System32\svchost.exe[1736] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0024100C .text C:\Windows\System32\svchost.exe[1736] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0024200C .text C:\Windows\System32\svchost.exe[1736] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0024E00C .text C:\Windows\System32\svchost.exe[1736] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0024C00C .text C:\Windows\System32\svchost.exe[1736] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0024F00C .text C:\Windows\System32\svchost.exe[1736] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0024400C .text C:\Windows\System32\svchost.exe[1736] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0024300C .text C:\Windows\system32\svchost.exe[1772] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 002F000C .text C:\Windows\system32\svchost.exe[1772] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 002F100C .text C:\Windows\system32\svchost.exe[1772] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 002F200C .text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 002FE00C .text C:\Windows\system32\svchost.exe[1772] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 002FC00C .text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 002FF00C .text C:\Windows\system32\svchost.exe[1772] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 002F400C .text C:\Windows\system32\svchost.exe[1772] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 002F300C .text C:\Program Files\Internet Explorer\iexplore.exe[1984] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0023000C .text C:\Program Files\Internet Explorer\iexplore.exe[1984] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0023100C .text C:\Program Files\Internet Explorer\iexplore.exe[1984] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0023200C .text C:\Users\leszek\Desktop\Nowy folder\mgm312ko.exe[2044] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0016000C .text C:\Users\leszek\Desktop\Nowy folder\mgm312ko.exe[2044] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0016100C .text C:\Users\leszek\Desktop\Nowy folder\mgm312ko.exe[2044] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0016200C .text C:\Windows\system32\GWX\GWX.exe[2304] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0056000C .text C:\Windows\system32\GWX\GWX.exe[2304] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0056100C .text C:\Windows\system32\GWX\GWX.exe[2304] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0056200C .text C:\Windows\system32\GWX\GWX.exe[2304] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0056E00C .text C:\Windows\system32\GWX\GWX.exe[2304] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0056C00C .text C:\Windows\system32\GWX\GWX.exe[2304] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0056F00C .text C:\Windows\system32\GWX\GWX.exe[2304] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0056400C .text C:\Windows\system32\GWX\GWX.exe[2304] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0056300C .text C:\Windows\system32\Dwm.exe[2892] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 00AE000C .text C:\Windows\system32\Dwm.exe[2892] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 00AE100C .text C:\Windows\system32\Dwm.exe[2892] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 00AE200C .text C:\Windows\system32\Dwm.exe[2892] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 00AEE00C .text C:\Windows\system32\Dwm.exe[2892] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 00AEC00C .text C:\Windows\system32\Dwm.exe[2892] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 00AEF00C .text C:\Windows\system32\Dwm.exe[2892] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 00AE400C .text C:\Windows\system32\Dwm.exe[2892] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 00AE300C .text C:\Windows\system32\taskhost.exe[2900] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 026F000C .text C:\Windows\system32\taskhost.exe[2900] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 026F100C .text C:\Windows\system32\taskhost.exe[2900] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 026F200C .text C:\Windows\system32\taskhost.exe[2900] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 026FE00C .text C:\Windows\system32\taskhost.exe[2900] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 026FC00C .text C:\Windows\system32\taskhost.exe[2900] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 026FF00C .text C:\Windows\system32\taskhost.exe[2900] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 026F400C .text C:\Windows\system32\taskhost.exe[2900] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 026F300C .text C:\Windows\Explorer.EXE[2960] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0388000C .text C:\Windows\Explorer.EXE[2960] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0388100C .text C:\Windows\Explorer.EXE[2960] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0388200C .text C:\Windows\Explorer.EXE[2960] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0388E00C .text C:\Windows\Explorer.EXE[2960] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0388C00C .text C:\Windows\Explorer.EXE[2960] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0388F00C .text C:\Windows\Explorer.EXE[2960] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0388400C .text C:\Windows\Explorer.EXE[2960] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0388300C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 00A0000C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 00A0100C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 00A0200C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 00A0E00C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 00A0C00C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 00A0F00C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 00A0400C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3096] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 00A0300C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0055000C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0055100C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0055200C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0055E00C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0055C00C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0055F00C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0055400C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3460] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0055300C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 02B0000C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 02B0100C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 02B0200C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 02B0E00C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 02B0C00C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 02B0F00C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 02B0400C .text C:\Program Files\Windows Sidebar\sidebar.exe[3556] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 02B0300C .text C:\Windows\System32\svchost.exe[3780] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0020000C .text C:\Windows\System32\svchost.exe[3780] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0020100C .text C:\Windows\System32\svchost.exe[3780] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0020200C .text C:\Windows\System32\svchost.exe[3780] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0020E00C .text C:\Windows\System32\svchost.exe[3780] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0020C00C .text C:\Windows\System32\svchost.exe[3780] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0020F00C .text C:\Windows\System32\svchost.exe[3780] user32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0020400C .text C:\Windows\System32\svchost.exe[3780] user32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0020300C .text C:\Windows\system32\winlogon.exe[4164] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0087000C .text C:\Windows\system32\winlogon.exe[4164] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0087100C .text C:\Windows\system32\winlogon.exe[4164] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0087200C .text C:\Windows\system32\winlogon.exe[4164] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0087E00C .text C:\Windows\system32\winlogon.exe[4164] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0087C00C .text C:\Windows\system32\winlogon.exe[4164] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0087F00C .text C:\Windows\system32\winlogon.exe[4164] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0087400C .text C:\Windows\system32\winlogon.exe[4164] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0087300C .text C:\Windows\system32\nvvsvc.exe[4272] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0019000C .text C:\Windows\system32\nvvsvc.exe[4272] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0019100C .text C:\Windows\system32\nvvsvc.exe[4272] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0019200C .text C:\Windows\system32\nvvsvc.exe[4272] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0019E00C .text C:\Windows\system32\nvvsvc.exe[4272] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0019C00C .text C:\Windows\system32\nvvsvc.exe[4272] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0019F00C .text C:\Windows\system32\nvvsvc.exe[4272] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0019400C .text C:\Windows\system32\nvvsvc.exe[4272] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0019300C .text C:\Windows\system32\Dwm.exe[4536] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0021000C .text C:\Windows\system32\Dwm.exe[4536] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0021100C .text C:\Windows\system32\Dwm.exe[4536] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0021200C .text C:\Windows\system32\Dwm.exe[4536] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0021E00C .text C:\Windows\system32\Dwm.exe[4536] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0021C00C .text C:\Windows\system32\Dwm.exe[4536] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0021F00C .text C:\Windows\system32\Dwm.exe[4536] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0021400C .text C:\Windows\system32\Dwm.exe[4536] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0021300C .text C:\Windows\Explorer.EXE[4632] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0027000C .text C:\Windows\Explorer.EXE[4632] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0027100C .text C:\Windows\Explorer.EXE[4632] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0027200C .text C:\Windows\Explorer.EXE[4632] kernel32.dll!CopyFileExW 7721B348 5 Bytes JMP 0027E00C .text C:\Windows\Explorer.EXE[4632] kernel32.dll!OpenMutexA 772204DA 5 Bytes JMP 0027C00C .text C:\Windows\Explorer.EXE[4632] kernel32.dll!CreateDirectoryExW 77267D09 5 Bytes JMP 0027F00C .text C:\Windows\Explorer.EXE[4632] USER32.dll!SetWindowsHookExW 76D2E30C 5 Bytes JMP 0027400C .text C:\Windows\Explorer.EXE[4632] USER32.dll!SetWindowsHookExA 76D56D0C 5 Bytes JMP 0027300C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4820] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0010000C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4820] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0010100C .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4820] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0010200C .text C:\Program Files\Windows Sidebar\sidebar.exe[4844] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0011000C .text C:\Program Files\Windows Sidebar\sidebar.exe[4844] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0011100C .text C:\Program Files\Windows Sidebar\sidebar.exe[4844] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0011200C .text C:\Program Files\Internet Explorer\iexplore.exe[6060] ntdll.dll!NtCreateProcess 773056F0 5 Bytes JMP 0021000C .text C:\Program Files\Internet Explorer\iexplore.exe[6060] ntdll.dll!NtCreateProcessEx 77305700 5 Bytes JMP 0021100C .text C:\Program Files\Internet Explorer\iexplore.exe[6060] ntdll.dll!NtCreateUserProcess 773057D0 5 Bytes JMP 0021200C ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 857AB1E8 Device \Driver\usbohci \Device\USBPDO-0 86B251E8 Device \Driver\usbehci \Device\USBPDO-1 86B271E8 Device \Driver\usbohci \Device\USBPDO-2 86B251E8 Device \Driver\usbehci \Device\USBPDO-3 86B271E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{CA7F49B6-8827-458E-95F7-8ED5540875D1} 86ADC228 Device \Driver\cdrom \Device\CdRom0 86A261E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0BF538B0-3B30-4F9A-8DAA-7B97DE03BF83} 86ADC228 Device \Driver\nvstor32 \Device\00000068 857A91E8 Device \Driver\nvstor32 \Device\00000069 857A91E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86ADC228 Device \Driver\NetBT \Device\NetBT_Tcpip_{BCDB82E0-0CC2-43CF-A2B8-23F9529BE56B} 86ADC228 Device \Driver\nvstor32 \Device\RaidPort0 857A91E8 Device \Driver\usbohci \Device\USBFDO-0 86B251E8 Device \Driver\usbehci \Device\USBFDO-1 86B271E8 Device \Driver\usbohci \Device\USBFDO-2 86B251E8 Device \Driver\usbehci \Device\USBFDO-3 86B271E8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x857a91e8]<< 857a91e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86750350] 86750350 Trace 3 CLASSPNP.SYS[8b5bc59e] -> nt!IofCallDriver -> [0x865718e0] 865718e0 Trace 5 ACPI.sys[8af523d4] -> nt!IofCallDriver -> \Device\00000068[0x865215e0] 865215e0 Trace \Driver\nvstor32[0x86519600] -> IRP_MJ_CREATE -> 0x857a91e8 857a91e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@0025489c1a06 0xE0 0x29 0x8F 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBA 0x62 0x7D 0x86 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@0025489c1a06 0xE0 0x29 0x8F 0xDA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBA 0x62 0x7D 0x86 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xB0 0x20 0x43 0x8F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe 0x80 0xC4 0x6A 0x0B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x20 0xFA 0x28 0x0E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xD0 0xD1 0x0C 0x8B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\CompatTel\wicainventory.exe 0xB0 0x3F 0xB7 0x6A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0xE0 0x92 0xEA 0x40 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Samsung\Kies\Kies.exe 0x50 0x37 0x94 0xF6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\leszek\AppData\Roaming\Samsung\Kies\UpdateTemp\Updater\Kies.Update.exe 0x30 0x5D 0x63 0x70 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\GWX\GWXConfigManager.exe 0xD0 0x28 0xEA 0x13 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\explorer.exe 0x48 0xDF 0xAE 0xC7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x80 0xF4 0xE3 0x6F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\aitstatic.exe 0x68 0x02 0x5E 0x9F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\leszek\Desktop\Nowy folder\FRST.exe 0xF0 0x24 0x53 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@EF118990 2926 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@8BD99990 2926 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3924117992-576461840-467304932-1003@RefCount 3 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ... ---- EOF - GMER 2.1 ----