GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-30 16:28:37 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST9500325AS rev.0002SDM1 465,76GB Running: clmcs1w9.exe; Driver: C:\Users\Alan\AppData\Local\Temp\aftcqaod.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 82A51B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8BBB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1612] WS2_32.dll!WSASend 76EB4406 5 Bytes JMP 5ECF1640 C:\IQIYI Video\Common\Accelerator\browserhook.dll .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1612] WS2_32.dll!send 76EB6F01 5 Bytes JMP 5ECF1600 C:\IQIYI Video\Common\Accelerator\browserhook.dll .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, 4C, 7A, 00] {SUB [EDX+EDI*2+0x0], CL} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, 4F, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, 4C, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, 4D, 7A, 00] {TEST AL, 0x4d; JP 0x4} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, 4E, 7A, 00] {TEST AL, 0x4e; JP 0x4} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, 4D, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, 4E, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, 4C, 7A, 00] {TEST AL, 0x4c; JP 0x4} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, 4D, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, 4E, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, 4F, 7A, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[1816] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, AC, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, AF, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, AC, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, AD, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, AE, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, AD, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, AE, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, AC, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, AD, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, AE, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, AF, EE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2464] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, B4, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, B7, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, B4, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, B5, EB, 00] {TEST AL, 0xb5; JMP 0x4} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, B6, EB, 00] {TEST AL, 0xb6; JMP 0x4} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, B5, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, B6, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, B4, EB, 00] {TEST AL, 0xb4; JMP 0x4} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, B5, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, B6, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, B7, EB, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2504] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, C8, 11, 00] {SUB AL, CL; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, CB, 11, 00] {SUB BL, CL; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, C8, 11, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, C9, 11, 00] {TEST AL, 0xc9; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, CA, 11, 00] {TEST AL, 0xca; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, C9, 11, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, CA, 11, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, C8, 11, 00] {TEST AL, 0xc8; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, C9, 11, 00] {SUB CL, CL; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, CA, 11, 00] {SUB DL, CL; ADC [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, CB, 11, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[2864] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, 3C, 87, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, 3F, 87, 00] {SUB [EDI], BH; XCHG [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, 3C, 87, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, 3D, 87, 00] {TEST AL, 0x3d; XCHG [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, 3E, 87, 00] {TEST AL, 0x3e; XCHG [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, 3D, 87, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, 3E, 87, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, 3C, 87, 00] {TEST AL, 0x3c; XCHG [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, 3D, 87, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, 3E, 87, 00] {SUB [ESI], BH; XCHG [EAX], EAX} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, 3F, 87, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3308] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, BC, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, BF, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, BC, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, BD, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, BE, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, BD, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, BE, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, BC, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, BD, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, BE, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, BF, CE, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3328] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, 64, 5E, 00] {SUB [ESI+EBX*2+0x0], AH} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, 67, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, 64, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, 65, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, 66, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, 65, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, 66, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, 64, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, 65, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, 66, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, 67, 5E, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[3972] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, 04, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, 07, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, 04, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, 05, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, 06, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, 05, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, 06, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, 04, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, 05, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, 06, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, 07, 67, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5028] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, 48, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, 4B, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, 48, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, 49, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, 4A, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, 49, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, 4A, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, 48, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, 49, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, 4A, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, 4B, 91, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[5112] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtCreateFile + 6 775C56B6 4 Bytes [28, 88, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtCreateFile + B 775C56BB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtMapViewOfSection + 6 775C5D16 4 Bytes [28, 8B, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtMapViewOfSection + B 775C5D1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenFile + 6 775C5DC6 4 Bytes [68, 88, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenFile + B 775C5DCB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenProcess + 6 775C5E76 4 Bytes [A8, 89, D1, 00] {TEST AL, 0x89; ROL DWORD [EAX], 0x1} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenProcess + B 775C5E7B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenProcessToken + B 775C5E8B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenProcessTokenEx + 6 775C5E96 4 Bytes [A8, 8A, D1, 00] {TEST AL, 0x8a; ROL DWORD [EAX], 0x1} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenProcessTokenEx + B 775C5E9B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenThread + 6 775C5EF6 4 Bytes [68, 89, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenThread + B 775C5EFB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenThreadToken + 6 775C5F06 4 Bytes [68, 8A, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenThreadToken + B 775C5F0B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtOpenThreadTokenEx + B 775C5F1B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtQueryAttributesFile + 6 775C6026 4 Bytes [A8, 88, D1, 00] {TEST AL, 0x88; ROL DWORD [EAX], 0x1} .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtQueryAttributesFile + B 775C602B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtQueryFullAttributesFile + B 775C60DB 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtSetInformationFile + 6 775C6726 4 Bytes [28, 89, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtSetInformationFile + B 775C672B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtSetInformationThread + 6 775C6786 4 Bytes [28, 8A, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtSetInformationThread + B 775C678B 1 Byte [E2] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtUnmapViewOfSection + 6 775C6AA6 4 Bytes [68, 8B, D1, 00] .text C:\Program Files\Opera\31.0.1889.174\opera.exe[6840] ntdll.dll!NtUnmapViewOfSection + B 775C6AAB 1 Byte [E2] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp wsafd_1_10_0_19.sys Device \Driver\BTHUSB \Device\00000071 bthport.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37f5b24f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37f5b24f@4482f800cc53 0x7E 0x93 0x3F 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37f5b24f@88c9d03b0a93 0x09 0x98 0x0D 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{E40E1801-DAD3-4CBB-A6BC-1CBE9A290732}@LeaseObtainedTime 1440937006 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{E40E1801-DAD3-4CBB-A6BC-1CBE9A290732}@T1 1440980206 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{E40E1801-DAD3-4CBB-A6BC-1CBE9A290732}@T2 1441012606 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{E40E1801-DAD3-4CBB-A6BC-1CBE9A290732}@LeaseTerminatesTime 1441023406 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37f5b24f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37f5b24f@4482f800cc53 0x7E 0x93 0x3F 0x0E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37f5b24f@88c9d03b0a93 0x09 0x98 0x0D 0xE3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Winreview.ru\Personalization Panel DWM Controller\persdwmsrv.exe 0x9B 0x8A 0xD3 0xDF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xEE 0x44 0xB4 0xF4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0xDD 0xA0 0x26 0x28 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Coupon Time\bin\utilCouponTime.exe 0x63 0xFF 0x8F 0xF2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\RarSFX1\file.exe 0xF6 0x2A 0x3B 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\IVYPL\xrc.exe 0x73 0x99 0x37 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\IVYPLx\run.exe 0xF1 0xD5 0xC3 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Bamtechno.exe 0x25 0x3A 0xFC 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Controller\cohc.exe 0x41 0xC5 0x99 0xDA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\ProgramData\Sublight\iidtdxr2.exe 0x6B 0x89 0x98 0x08 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Coupon Time\updateCouponTime.exe 0x0F 0x45 0xF1 0x1C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\PhraseProfessor_1.10.0.22\Update\PhraseProfessorAutoUpdateClient.exe 0x58 0x3C 0x90 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\WordSurfer_1.10.0.19\Update\WordSurferAutoUpdateClient.exe 0xB9 0x33 0x0C 0xD2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe 0x21 0x60 0xCE 0xAD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\ProgramData\Saophase\Zathtrax.exe 0x04 0x50 0xDE 0xFE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Alan\Downloads\FRST.exe 0xEB 0xEC 0x6C 0xEB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x30 0x3B 0x12 0xEF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\RarSFX0\Installer.exe 0x25 0xA2 0x8D 0x8F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\RarSFX1\DPE.exe 0x3A 0x6C 0x31 0xB9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\ProgramData\Application Hosting\Application Hosting.exe 0x24 0x34 0x75 0xD7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\ProgramData\Sublight\Sublight.exe 0x2D 0x68 0x75 0xE0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\fsd9021.exe 0xA5 0xC3 0xC6 0xCD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\ToX1F62.exe 0xD5 0x08 0x8B 0x0C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Alan\AppData\Local\Temp\fsdF9E8.exe 0xEB 0x48 0x69 0x51 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x65 0x52 0x52 0xA6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\wermgr.exe 0xF4 0xC2 0x5B 0xC6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\temp\RarSFX0\uou.exe 0x3D 0x53 0xFD 0x3F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\ProgramData\Saophase\Saophase.exe 0x7C 0x71 0xDF 0xDF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Alan\Downloads\FRST.exe 0x9D 0x66 0x79 0xE5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1192 ---- EOF - GMER 2.1 ----