GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-06 22:53:57 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-8 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: oml90t3v.exe; Driver: C:\Users\Lisqui\AppData\Local\Temp\fwrdapob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAdjustPrivilegesToken [0x90D4B0A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAlpcConnectPort [0x90D4B020] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAlpcSendWaitReceivePort [0x90D4B030] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwConnectPort [0x90D4B050] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSection [0x90D4B000] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSymbolicLinkObject [0x90D4B410] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThread [0x90D4B100] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThreadEx [0x90D4B040] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDebugActiveProcess [0x90D4B140] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeviceIoControlFile [0x90D4B1E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDuplicateObject [0x90D4B170] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadDriver [0x90D4B150] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwMapViewOfSection [0x90D4B180] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenProcess [0x90D4B080] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenSection [0x90D4B070] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenThread [0x90D4B090] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwProtectVirtualMemory [0x90D4B0C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryIntervalProfile [0x90D4B470] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueueApcThread [0x90D4B120] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRequestWaitReplyPort [0x90D4B1D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeProcess [0x90D4B490] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeThread [0x90D4B1A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSecureConnectPort [0x90D4B060] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetContextThread [0x90D4B110] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationObject [0x90D4B0B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationToken [0x90D4B010] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetSystemInformation [0x90D4B160] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendProcess [0x90D4B1C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendThread [0x90D4B1B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSystemDebugControl [0x90D4B130] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateProcess [0x90D4B0D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateThread [0x90D4B0E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwUnmapViewOfSection [0x90D4B190] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwWriteVirtualMemory [0x90D4B0F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 82E84B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EBEBB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82EC5FBC 4 Bytes [A0, B0, D4, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82EC5FE4 4 Bytes [20, B0, D4, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82EC6028 4 Bytes [30, B0, D4, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82EC6078 4 Bytes [50, B0, D4, 90] {PUSH EAX; MOV AL, 0xd4; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82EC60DC 4 Bytes [00, B0, D4, 90] .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8B977FEE] ? C:\Users\Lisqui\AppData\Local\Temp\cpuz134\cpuz134_x32.sys System nie może odnaleźć określonej ścieżki. ! ? \Program Files\DAEMON Tools Pro\Engine.dll Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1872] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1872] ntdll.dll!NtProtectVirtualMemory 77096000 5 Bytes JMP 6F382DD0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1872] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: uxtheme.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1872] USER32.dll!NotifyWinEvent + 5B2 76DDD570 4 Bytes [10, 3D, 38, 6F] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe[1872] USER32.dll!NotifyWinEvent + 6AE 76DDD66C 4 Bytes [C0, 3C, 38, 6F] {SAR BYTE [EAX+EDI], 0x6f} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2720] ntdll.dll!LdrLoadDll 770B2576 5 Bytes JMP 62C2A8A8 C:\Program Files\Mozilla Firefox\mozglue.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: uxtheme.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] C:\Windows\system32\user32.dll time/date stamp mismatch; unknown module: CFGMGR32.dllunknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!LockWindowStation + 1BE 76DC4948 5 Bytes JMP 6F384670 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!GetUserObjectInformationA + 82F 76DC79E7 5 Bytes JMP 6F384AE0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!NotifyWinEvent + 5B2 76DDD570 4 Bytes [10, 3D, 38, 6F] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!NotifyWinEvent + 6AE 76DDD66C 4 Bytes [C0, 3C, 38, 6F] {SAR BYTE [EAX+EDI], 0x6f} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!SetWindowsHookExA + 21 76DF6D2D 5 Bytes JMP 6F384A60 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!SendMessageTimeoutA + 2A 76DF6DD3 5 Bytes JMP 6F3845E0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!GetRawInputDeviceInfoW + 10 76E0CA16 5 Bytes JMP 6F3848B0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe[3296] user32.dll!GetRawInputDeviceInfoA + E7 76E23C80 5 Bytes JMP 6F384820 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\ushata.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] ntdll.dll!LdrLoadDll 770B2576 5 Bytes JMP 62C2A8A8 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5900] ntdll.dll!LdrLoadDll 770B2576 5 Bytes JMP 62C2A8A8 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtCreateFile 770956B0 5 Bytes JMP 5353B983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtFlushBuffersFile 77095A40 5 Bytes JMP 5353B6C3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtQueryFullAttributesFile 770960D0 5 Bytes JMP 5353B7F8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtReadFile 770963A0 5 Bytes JMP 5353B6FD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtReadFileScatter 770963B0 5 Bytes JMP 538C2E91 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtWriteFile 77096B50 5 Bytes JMP 5353BB27 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!NtWriteFileGather 77096B60 5 Bytes JMP 538C2EE1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] ntdll.dll!LdrLoadDll 770B2576 5 Bytes JMP 62C2A8A8 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75B9952E 7 Bytes JMP 538AB5A5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] kernel32.dll!QueryPerformanceCounter + 13 75B9C535 7 Bytes JMP 538ABFAC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] kernel32.dll!LoadAppInitDlls + 355 75B9F5F6 7 Bytes JMP 5360AFF1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] USER32.dll!GetWindowInfo 76DD4B5E 5 Bytes JMP 5438AE81 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6864] GDI32.dll!GetViewportOrgEx + 26C 771A87DB 7 Bytes JMP 538AAF5D C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 866AA1F8 Device \Driver\usbehci \Device\USBPDO-0 8732D1F8 Device \Driver\usbehci \Device\USBPDO-1 8732D1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9C0D6046-D489-41E8-B593-2578B6488328} 870081F8 AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys Device \Driver\cdrom \Device\CdRom0 86FD31F8 Device \Driver\atapi \Device\Ide\IdePort0 866B31F8 Device \Driver\atapi \Device\Ide\IdePort1 866B31F8 Device \Driver\atapi \Device\Ide\IdePort2 866B31F8 Device \Driver\atapi \Device\Ide\IdePort3 866B31F8 Device \Driver\atapi \Device\Ide\IdePort4 866B31F8 Device \Driver\atapi \Device\Ide\IdePort5 866B31F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-8 866B31F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-9 866B31F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9ED84A0E-9BBB-4854-917E-5D90478E0520} 870081F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 870081F8 AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys Device \Driver\usbehci \Device\USBFDO-0 8732D1F8 Device \Driver\usbehci \Device\USBFDO-1 8732D1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x866b31f8]<< 866b31f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86c4e030] 86c4e030 Trace 3 CLASSPNP.SYS[8c37559e] -> nt!IofCallDriver -> [0x85d72408] 85d72408 Trace 5 ACPI.sys[8bf413d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-8[0x86ae0908] 86ae0908 Trace \Driver\atapi[0x86aeae18] -> IRP_MJ_CREATE -> 0x866b31f8 866b31f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x8F 0x9E 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x8F 0x9E 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9B 0xED 0x87 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEB 0x54 0x96 0xBD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x3D 0x03 0x3B 0x12 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xDE 0xF1 0xC5 0x19 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xCA 0x2A 0x82 0x0F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehshell.exe 0x21 0xA2 0xD0 0xF3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcupdate.exe 0xEE 0x86 0x82 0x57 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehrec.exe 0xAD 0xFC 0x7A 0x89 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcGlidHost.exe 0x6C 0x24 0x34 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0xCF 0x06 0x00 0xBE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe 0x1C 0x31 0x1D 0xE5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 0x4F 0x95 0x7B 0xB3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Brothers - A Tale of Two Sons\_CommonRedist\DirectX\Jun2010\DXSETUP.exe 0xB8 0x11 0xD2 0x8D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Brothers - A Tale of Two Sons\Binaries\Win32\BrothersLauncher.exe 0x93 0x03 0x7D 0x83 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\O22y Inc\Dragon Age Origins Ultimate Edition\dedaodrm.exe 0x62 0x40 0x1F 0x93 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Lisqui\AppData\Local\Temp\AddInsUpdater.exe 0x47 0xF2 0xF5 0xD9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Driver Detective\DriversHQ.DriverDetective.Client.exe 0x4D 0xA8 0xA8 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Driver Detective\Agent.CPU.exe 0xDA 0x62 0x12 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Driver Detective\ISUninstall.exe 0xC5 0x01 0x66 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe 0x28 0x29 0xF6 0x12 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x0B 0xEF 0x1B 0x98 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x45 0x67 0x63 0xA9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xD8 0x53 0x0D 0x66 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x83 0x94 0xA0 0x86 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Gry\Brothers - A Tale of Two Sons\Binaries\Win32\Brothers.exe 0x4A 0x26 0x28 0x9C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe 0x92 0x96 0xBE 0x23 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Lisqui\Downloads\FRST.exe 0xC7 0xFC 0xC0 0xBB ... ---- EOF - GMER 2.1 ----