GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-16 16:09:42 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 ST3500418AS rev.CC37 465,76GB Running: k4fcrcyk.exe; Driver: C:\Users\Howoj\AppData\Local\Temp\agloipog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x926EF6F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x926EF820] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x926EF010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x926EF4E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x926EF300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x926EF3F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x926EF120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x926EF210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x926EF5F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestPort + 14AD 82C3FBB5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C79B92 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82C8121C 8 Bytes [F0, F6, 6E, 92, 20, F8, 6E, ...] {IMUL BYTE [ESI-0x6e]; AND AL, BH; OUTS DX, BYTE [ESI]; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82C81264 4 Bytes [10, F0, 6E, 92] {ADC AL, DH; OUTS DX, BYTE [ESI]; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 82C81284 4 Bytes [E0, F4, 6E, 92] {LOOPNZ 0xfffffff6; OUTS DX, BYTE [ESI]; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 82C81524 8 Bytes [00, F3, 6E, 92, F0, F3, 6E, ...] {ADD BL, DH; OUTS DX, BYTE [ESI]; XCHG EDX, EAX; REP OUTS DX, BYTE [ESI]; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82C81534 8 Bytes [20, F1, 6E, 92, 10, F2, 6E, ...] {AND CL, DH; OUTS DX, BYTE [ESI]; XCHG EDX, EAX; ADC DL, DH; OUTS DX, BYTE [ESI]; XCHG EDX, EAX} .text ... ? System32\drivers\aapsqhlt.sys System nie może odnaleźć określonej ścieżki. ! .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8C4B6774] ? C:\Windows\System32\Drivers\ak4p5w25.SYS suspicious PE modification .text C:\Program Files\Alcohol Soft\Alcohol 120\Alcoholx.dll section is writeable [0x77361000, 0x152A2, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1036] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1036] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1036] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtCreateFile 77225620 5 Bytes JMP 66609C03 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtFlushBuffersFile 772259B0 5 Bytes JMP 6660990B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtQueryFullAttributesFile 77226040 5 Bytes JMP 666099C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtReadFile 77226310 5 Bytes JMP 66609ACD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtReadFileScatter 77226320 5 Bytes JMP 669D8C27 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtWriteFile 77226AC0 5 Bytes JMP 66609DA7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtWriteFileGather 77226AD0 5 Bytes JMP 669D8C77 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F094E6 7 Bytes JMP 669C2714 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] kernel32.dll!QueryPerformanceCounter + 13 76F0C4E5 7 Bytes JMP 669C4641 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] kernel32.dll!LoadAppInitDlls + 355 76F0F5A6 7 Bytes JMP 66764050 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] USER32.dll!GetWindowInfo 75924B5E 5 Bytes JMP 673AC048 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1428] GDI32.dll!GetViewportOrgEx + 26C 76BD884B 7 Bytes JMP 669C0C8F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\servicing\TrustedInstaller.exe[1720] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\servicing\TrustedInstaller.exe[1720] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\servicing\TrustedInstaller.exe[1720] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\DllHost.exe[2276] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\DllHost.exe[2276] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\DllHost.exe[2276] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[2656] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[2656] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\GWX\GWX.exe[2656] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\WUDFHost.exe[2668] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\WUDFHost.exe[2668] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\WUDFHost.exe[2668] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe[2980] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe[2980] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe[2980] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3048] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3048] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3048] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgnsx.exe[3120] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgnsx.exe[3120] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgnsx.exe[3120] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskmgr.exe[3152] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskmgr.exe[3152] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskmgr.exe[3152] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgemcx.exe[3292] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgemcx.exe[3292] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgemcx.exe[3292] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\svchost.exe[3324] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\svchost.exe[3324] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\svchost.exe[3324] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgui.exe[3660] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgui.exe[3660] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgui.exe[3660] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\svchost.exe[4816] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\svchost.exe[4816] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\svchost.exe[4816] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Howoj\Downloads\k4fcrcyk.exe[5568] ntdll.dll!NtMapViewOfSection 77225C80 5 Bytes JMP 6C801460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Howoj\Downloads\k4fcrcyk.exe[5568] ntdll.dll!NtWriteVirtualMemory 77226AF0 5 Bytes JMP 6C801120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Howoj\Downloads\k4fcrcyk.exe[5568] kernel32.dll!CreateProcessInternalW 76F10852 5 Bytes JMP 6C801260 C:\Program Files\AVG\AVG2015\avghookx.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 858EE1F8 Device \FileSystem\fastfat \FatCdrom 887D61F8 Device \Driver\usbuhci \Device\USBPDO-0 868FC440 Device \Driver\usbuhci \Device\USBPDO-1 868FC440 Device \Driver\usbuhci \Device\USBPDO-2 868FC440 Device \Driver\usbehci \Device\USBPDO-3 86A63440 Device \Driver\usbuhci \Device\USBPDO-4 868FC440 AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys Device \Driver\usbuhci \Device\USBPDO-5 868FC440 Device \Driver\usbuhci \Device\USBPDO-6 868FC440 Device \Driver\usbehci \Device\USBPDO-7 86A63440 Device \Driver\PCI_PNP3747 \Device\00000058 sptd.sys Device \Driver\cdrom \Device\CdRom0 86A071F8 Device \Driver\USBSTOR \Device\00000072 875101F8 Device \Driver\cdrom \Device\CdRom1 86A071F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-b 858EC1F8 Device \Driver\atapi \Device\Ide\IdePort0 858EC1F8 Device \Driver\atapi \Device\Ide\IdePort1 858EC1F8 Device \Driver\atapi \Device\Ide\IdePort2 858EC1F8 Device \Driver\atapi \Device\Ide\IdePort3 858EC1F8 Device \Driver\atapi \Device\Ide\IdePort4 858EC1F8 Device \Driver\atapi \Device\Ide\IdePort5 858EC1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-6 858EC1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 858EC1F8 Device \Driver\USBSTOR \Device\00000073 875101F8 Device \Driver\cdrom \Device\CdRom2 86A071F8 Device \Driver\USBSTOR \Device\00000074 875101F8 Device \Driver\USBSTOR \Device\00000075 875101F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{56AE635D-D60F-4020-9C9C-8A343D94CBD6} 86CCB1F8 Device \Driver\USBSTOR \Device\00000076 875101F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86CCB1F8 AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys Device \Driver\usbuhci \Device\USBFDO-0 868FC440 Device \Driver\usbuhci \Device\USBFDO-1 868FC440 Device \Driver\usbuhci \Device\USBFDO-2 868FC440 Device \Driver\usbehci \Device\USBFDO-3 86A63440 Device \Driver\usbuhci \Device\USBFDO-4 868FC440 Device \Driver\usbuhci \Device\USBFDO-5 868FC440 Device \Driver\usbuhci \Device\USBFDO-6 868FC440 Device \Driver\NetBT \Device\NetBT_Tcpip_{5346DD61-EB03-482D-A85E-6DED85D1F15C} 86CCB1F8 Device \Driver\usbehci \Device\USBFDO-7 86A63440 Device \Driver\ak4p5w25 \Device\Scsi\ak4p5w251Port6Path0Target1Lun0 86A6F440 Device \Driver\ak4p5w25 \Device\Scsi\ak4p5w251 86A6F440 Device \Driver\ak4p5w25 \Device\Scsi\ak4p5w251Port6Path0Target0Lun0 86A6F440 Device \FileSystem\fastfat \Fat 887D61F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys Device \FileSystem\cdfs \Cdfs 872AA1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x858ec1f8]<< 858ec1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86820030] 86820030 Trace 3 CLASSPNP.SYS[8cc8559e] -> nt!IofCallDriver -> [0x866858a8] 866858a8 Trace 5 ACPI.sys[8c4db3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0x866c6030] 866c6030 Trace \Driver\atapi[0x866aeac8] -> IRP_MJ_CREATE -> 0x858ec1f8 858ec1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\483@TotalOccurrences 623 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\483@OccurrencesLessThanOrEqualTo50ScaledTPI 308 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Users\Public\Documents\Pinnacle\Content\MotionTitles\-Looks\Standard\01 \x2013 Soft Shadow Looks.ixLook 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xFC 0xE6 0xCD 0x6D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcupdate.exe 0xBE 0xC7 0x51 0x50 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehrec.exe 0xA6 0x29 0x1E 0x62 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcGlidHost.exe 0x08 0x76 0xD6 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x21 0x8D 0x0E 0xDB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x9F 0x73 0xC1 0xDC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Pinnacle\Studio 14\Import\programs\Importer.exe 0x81 0x15 0x1D 0x0E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0xF9 0xB0 0x79 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehshell.exe 0x97 0xC0 0xEB 0xA5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft\Research\AutoCollage 2008\AutoCollage.exe 0xC5 0x36 0xBB 0x37 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\nfotokreator\MPR500 Pro 5\AlbumMaker.exe 0xBF 0x2A 0xB8 0x01 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe 0x9D 0x98 0x85 0xA2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0xBB 0x0D 0x62 0x75 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Howoj\AppData\Local\Temp\{152E9771-0A42-484E-8E5B-9B3F6B292F31}\RegAsm32.exe 0x27 0xE0 0x33 0x29 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\StatSoft\STATISTICA 12\statist.exe 0x62 0x59 0xED 0x32 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x81 0xCE 0xD6 0x41 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xB4 0x4F 0xD4 0x6D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTel\wicainventory.exe 0x9E 0x1A 0x46 0xF8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x04 0x37 0x1F 0x16 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\crack\md5crack.exe 0x2D 0xD6 0xD2 0xAD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe 0xC7 0xA2 0x2D 0x33 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xDB 0x01 0xAF 0xB4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xCE 0x4C 0x18 0x89 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Howoj\AppData\Local\Temp\{152E9771-0A42-484E-8E5B-9B3F6B292F31}\RegAsm_4_32.exe 0x2F 0xBD 0x60 0x29 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\StatSoft\STATISTICA 12\statist.exe 0xEC 0x8C 0xE7 0x32 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0xCE 0x1C 0xBD 0x48 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0x6B 0x7B 0x1B 0xE0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@A77BD852 627 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0xF6 0x02 0xBE 0x00 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Howoj\Downloads\AdwCleaner\x00a04.202.exe 1 ---- Files - GMER 2.1 ---- File C:\Users\Howoj\AppData\Local\Temp\8it0dKaI.perl.part 0 bytes ---- EOF - GMER 2.1 ----