GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-08 18:53:21 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-60A23T0 rev.02.01A02 298,09GB Running: 9ylfu6o6.exe; Driver: C:\Users\ARAMEJ~1\AppData\Local\Temp\pwlirpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackComplete + 1421 828538F5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82873912 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88B30B2E] ? system32\drivers\swsedrvr_vt_1_10_0_25.sys System nie moze odnalezc okreslonej sciezki. ! ? C:\Windows\System32\Drivers\agvlfgle.SYS suspicious PE modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[308] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 01734AA7 .text C:\Windows\system32\wininit.exe[364] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 003C4AA7 .text C:\Windows\system32\csrss.exe[376] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 02834AA7 .text C:\Windows\system32\winlogon.exe[432] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00184AA7 .text C:\Windows\system32\services.exe[452] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 001B4AA7 .text ... .text C:\Users\Aramejskie PsP\Desktop\farbar\FRST.exe[612] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\system32\svchost.exe[668] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00154AA7 .text C:\Windows\system32\Ati2evxx.exe[736] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00214AA7 .text C:\Windows\System32\svchost.exe[820] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 006A4AA7 .text C:\Windows\System32\svchost.exe[860] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00104AA7 .text C:\Windows\system32\svchost.exe[888] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00174AA7 .text ... .text C:\Windows\Explorer.EXE[1392] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\Explorer.EXE[1392] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 05274AA7 .text C:\Windows\Explorer.EXE[1392] SHELL32.dll!SHFormatDrive + A53 760749E8 8 Bytes [80, 11, 03, 65, C0, 11, 03, ...] .text C:\Windows\System32\spoolsv.exe[1456] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 01174AA7 .text C:\Windows\system32\svchost.exe[1492] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00594AA7 .text C:\Windows\system32\svchost.exe[1580] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 006F4AA7 .text C:\Users\ARAMEJ~1\AppData\Local\Temp\nsc1610.tmp[1612] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00474AA7 .text C:\Windows\system32\Dwm.exe[1656] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\system32\Dwm.exe[1656] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00264AA7 .text C:\Program Files\TeamViewer\tv_w32.exe[1688] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 001F4AA7 .text C:\Users\Aramejskie PsP\AppData\Roaming\NetService\netservice.exe[1744] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 001E4AA7 .text C:\Program Files\E8F0E980-1449267636-81DC-39F9-001D6007944C\hnsmB63D.tmp[1792] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 000D4AA7 .text C:\Program Files\E8F0E980-1449267636-81DC-39F9-001D6007944C\jnsv9AA4.tmp[1820] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00064AA7 .text ... .text C:\Users\Aramejskie PsP\Downloads\9ylfu6o6.exe[2320] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\system32\svchost.exe[2480] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00134AA7 .text C:\Windows\system32\NOTEPAD.EXE[2492] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\system32\svchost.exe[2544] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 000D4AA7 .text C:\Windows\system32\WUDFHost.exe[2772] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 002B4AA7 .text C:\Program Files\TeamViewer\TeamViewer.exe[2872] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\TeamViewer\TeamViewer.exe[2872] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 04F64AA7 .text C:\Program Files\Internet Explorer\iexplore.exe[3136] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!UnhookWindowsHookEx 76E1CC7B 5 Bytes JMP 69FB7E18 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!CallNextHookEx 76E1CC8F 5 Bytes JMP 69F994EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!SystemParametersInfoW 76E1EEE1 6 Bytes PUSH 041C9114; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!CreateWindowExW 76E20E51 5 Bytes JMP 69FA7AA7 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!SetWindowsHookExW 76E2210A 5 Bytes JMP 69F54243 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!GetForegroundWindow 76E2565D 6 Bytes PUSH 041C44DC; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!IsWindowVisible 76E26939 6 Bytes PUSH 041CA7B4; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DrawTextExW 76E27BDD 6 Bytes PUSH 041C624C; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!GetSystemMetrics 76E28409 6 Bytes PUSH 041C502C; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBeep 76E444F7 6 Bytes PUSH 042118EC; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxIndirectParamW 76E44AA7 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxIndirectParamW 76E44AA7 5 Bytes JMP 6A0F58AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxParamW 76E4564A 5 Bytes JMP 69EC490B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxParamA 76E5CF6A 5 Bytes JMP 6A0F5848 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxIndirectParamA 76E5D29C 5 Bytes JMP 6A0F590E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxIndirectA 76E6E8C9 5 Bytes JMP 6A0F57DD C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxIndirectW 76E6E9C3 5 Bytes JMP 6A0F5772 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxExA 76E6EA29 5 Bytes JMP 6A0F5710 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxExW 76E6EA4D 5 Bytes JMP 6A0F56AE C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] GDI32.dll!GetDeviceCaps 77446E03 6 Bytes PUSH 041C9C64; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] ole32.dll!OleLoadFromStream 777D5B88 5 Bytes JMP 6A0F5B74 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] ole32.dll!CoCreateInstance 778257FC 5 Bytes JMP 69FA8595 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3136] wininet.dll!HttpOpenRequestA 7795043A 6 Bytes PUSH 041CB304; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] wininet.dll!HttpOpenRequestW 77950613 6 Bytes PUSH 041CBE54; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] ws2_32.dll!WSASend 76DC68A7 6 Bytes PUSH 041C026C; RET .text C:\Program Files\Internet Explorer\iexplore.exe[3136] ws2_32.dll!send 76DCC4C8 6 Bytes PUSH 041BF71C; RET .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[3164] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[3164] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 03CA4AA7 .text C:\Windows\System32\regsvr32.exe[3372] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\System32\regsvr32.exe[3372] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00634AA7 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtMapViewOfSection + 6 77B15076 4 Bytes [18, 20, F9, 6E] {SBB [EAX], AH; STC ; OUTS DX, BYTE [ESI]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3712] ntdll.dll!NtMapViewOfSection + B 77B1507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtCreateFile + 6 77B14A16 4 Bytes [28, C8, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtCreateFile + B 77B14A1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtMapViewOfSection + 6 77B15076 4 Bytes [28, CB, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtMapViewOfSection + B 77B1507B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenFile + 6 77B15126 4 Bytes [68, C8, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenFile + B 77B1512B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenProcess + 6 77B151D6 4 Bytes [A8, C9, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenProcess + B 77B151DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenProcessToken + 6 77B151E6 4 Bytes CALL 76B1C0B4 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenProcessToken + B 77B151EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenProcessTokenEx + 6 77B151F6 4 Bytes [A8, CA, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenProcessTokenEx + B 77B151FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenThread + 6 77B15256 4 Bytes [68, C9, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenThread + B 77B1525B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenThreadToken + 6 77B15266 4 Bytes [68, CA, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenThreadToken + B 77B1526B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenThreadTokenEx + 6 77B15276 4 Bytes CALL 76B1C145 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtOpenThreadTokenEx + B 77B1527B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtQueryAttributesFile + 6 77B15386 4 Bytes [A8, C8, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtQueryAttributesFile + B 77B1538B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtQueryFullAttributesFile + 6 77B15436 4 Bytes CALL 76B1C303 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtQueryFullAttributesFile + B 77B1543B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtSetInformationFile + 6 77B15A86 4 Bytes [28, C9, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtSetInformationFile + B 77B15A8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtSetInformationThread + 6 77B15AE6 4 Bytes [28, CA, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtSetInformationThread + B 77B15AEB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtUnmapViewOfSection + 6 77B15E06 4 Bytes [68, CB, 6E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3880] ntdll.dll!NtUnmapViewOfSection + B 77B15E0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + 6 77B15076 4 Bytes [18, 20, F9, 6E] {SBB [EAX], AH; STC ; OUTS DX, BYTE [ESI]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + B 77B1507B 1 Byte [E2] .text C:\Program Files\Internet Explorer\iexplore.exe[4224] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!CreateWindowExW 76E20E51 5 Bytes JMP 69FA7AA7 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxIndirectParamW 76E44AA7 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxIndirectParamW 76E44AA7 5 Bytes JMP 6A0F58AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxParamW 76E4564A 5 Bytes JMP 69EC490B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxParamA 76E5CF6A 5 Bytes JMP 6A0F5848 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxIndirectParamA 76E5D29C 5 Bytes JMP 6A0F590E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxIndirectA 76E6E8C9 5 Bytes JMP 6A0F57DD C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxIndirectW 76E6E9C3 5 Bytes JMP 6A0F5772 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxExA 76E6EA29 5 Bytes JMP 6A0F5710 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxExW 76E6EA4D 5 Bytes JMP 6A0F56AE C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] ole32.dll!OleLoadFromStream 777D5B88 5 Bytes JMP 6A0F5B74 C:\Windows\system32\IEFRAME.dll .text C:\Windows\system32\NOTEPAD.EXE[4300] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Users\ARAMEJ~1\AppData\Local\Temp\wk2_IFq2gOHmGuE8.tmp[5060] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\system32\SearchIndexer.exe[6216] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 02F64AA7 .text C:\Program Files\Internet Explorer\iexplore.exe[6828] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!CreateWindowExW 76E20E51 5 Bytes JMP 69FA7AA7 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!DialogBoxIndirectParamW 76E44AA7 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!DialogBoxIndirectParamW 76E44AA7 5 Bytes JMP 6A0F58AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!DialogBoxParamW 76E4564A 5 Bytes JMP 69EC490B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!DialogBoxParamA 76E5CF6A 5 Bytes JMP 6A0F5848 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!DialogBoxIndirectParamA 76E5D29C 5 Bytes JMP 6A0F590E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!MessageBoxIndirectA 76E6E8C9 5 Bytes JMP 6A0F57DD C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!MessageBoxIndirectW 76E6E9C3 5 Bytes JMP 6A0F5772 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!MessageBoxExA 76E6EA29 5 Bytes JMP 6A0F5710 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] USER32.dll!MessageBoxExW 76E6EA4D 5 Bytes JMP 6A0F56AE C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6828] ole32.dll!OleLoadFromStream 777D5B88 5 Bytes JMP 6A0F5B74 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!UnhookWindowsHookEx 76E1CC7B 5 Bytes JMP 69FB7E18 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!CallNextHookEx 76E1CC8F 5 Bytes JMP 69F994EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!SystemParametersInfoW 76E1EEE1 6 Bytes PUSH 018A9114; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!CreateWindowExW 76E20E51 5 Bytes JMP 69FA7AA7 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!SetWindowsHookExW 76E2210A 5 Bytes JMP 69F54243 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!GetForegroundWindow 76E2565D 6 Bytes PUSH 018A44DC; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!IsWindowVisible 76E26939 6 Bytes PUSH 018AA7B4; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!DrawTextExW 76E27BDD 6 Bytes PUSH 018A624C; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!GetSystemMetrics 76E28409 6 Bytes PUSH 018A502C; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!MessageBeep 76E444F7 6 Bytes PUSH 018F18EC; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!DialogBoxIndirectParamW 76E44AA7 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!DialogBoxIndirectParamW 76E44AA7 5 Bytes JMP 6A0F58AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!DialogBoxParamW 76E4564A 5 Bytes JMP 69EC490B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!DialogBoxParamA 76E5CF6A 5 Bytes JMP 6A0F5848 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!DialogBoxIndirectParamA 76E5D29C 5 Bytes JMP 6A0F590E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!MessageBoxIndirectA 76E6E8C9 5 Bytes JMP 6A0F57DD C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!MessageBoxIndirectW 76E6E9C3 5 Bytes JMP 6A0F5772 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!MessageBoxExA 76E6EA29 5 Bytes JMP 6A0F5710 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] USER32.dll!MessageBoxExW 76E6EA4D 5 Bytes JMP 6A0F56AE C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] GDI32.dll!GetDeviceCaps 77446E03 6 Bytes PUSH 018A9C64; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] ole32.dll!OleLoadFromStream 777D5B88 5 Bytes JMP 6A0F5B74 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] ole32.dll!CoCreateInstance 778257FC 5 Bytes JMP 69FA8595 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[7108] wininet.dll!HttpOpenRequestA 7795043A 6 Bytes PUSH 018AB304; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] wininet.dll!HttpOpenRequestW 77950613 6 Bytes PUSH 018ABE54; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] ws2_32.dll!WSASend 76DC68A7 6 Bytes PUSH 018A026C; RET .text C:\Program Files\Internet Explorer\iexplore.exe[7108] ws2_32.dll!send 76DCC4C8 6 Bytes PUSH 0189F71C; RET .text C:\Windows\system32\taskmgr.exe[7336] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Windows\system32\taskmgr.exe[7336] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 01934AA7 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7756] ntdll.dll!DbgBreakPoint 77B03540 1 Byte [C3] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[7756] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 046C4AA7 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7940] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 008C4AA7 .text C:\Windows\System32\svchost.exe[8144] USER32.dll!TranslateMessage 76E2910F 5 Bytes JMP 00184AA7 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 847A11E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{E7A81199-F178-45BE-AFC9-402577ECEE41} 857161E8 Device \Driver\usbohci \Device\USBPDO-0 8577D1E8 Device \Driver\usbohci \Device\USBPDO-1 8577D1E8 Device \Driver\usbohci \Device\USBPDO-2 8577D1E8 Device \Driver\usbohci \Device\USBPDO-3 8577D1E8 Device \Driver\usbohci \Device\USBPDO-4 8577D1E8 AttachedDevice \Driver\tdx \Device\Tcp swsedrvr_vt_1_10_0_25.sys Device \Driver\usbehci \Device\USBPDO-5 857771E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0C6884CE-47C7-4FB8-9EB8-E1EC922A563A} 857161E8 Device \Driver\BTHUSB \Device\00000071 bthport.sys Device \Driver\cdrom \Device\CdRom0 856A51E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8479F1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 8479F1E8 Device \Driver\atapi \Device\Ide\IdePort0 8479F1E8 Device \Driver\atapi \Device\Ide\IdePort1 8479F1E8 Device \Driver\atapi \Device\Ide\IdePort2 8479F1E8 Device \Driver\atapi \Device\Ide\IdePort3 8479F1E8 Device \Driver\cdrom \Device\CdRom1 856A51E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 857161E8 AttachedDevice \Driver\tdx \Device\Udp swsedrvr_vt_1_10_0_25.sys Device \Driver\usbohci \Device\USBFDO-0 8577D1E8 Device \Driver\USBSTOR \Device\0000006d 8582A1E8 Device \Driver\usbohci \Device\USBFDO-1 8577D1E8 Device \Driver\USBSTOR \Device\0000006e 8582A1E8 Device \Driver\usbohci \Device\USBFDO-2 8577D1E8 Device \Driver\BTHUSB \Device\0000006f bthport.sys Device \Driver\usbohci \Device\USBFDO-3 8577D1E8 Device \Driver\usbohci \Device\USBFDO-4 8577D1E8 Device \Driver\usbehci \Device\USBFDO-5 857771E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{937879C4-134C-4F1D-AE74-5EEBED85A401} 857161E8 Device \Driver\agvlfgle \Device\Scsi\agvlfgle1Port4Path0Target0Lun0 857D41E8 Device \Driver\agvlfgle \Device\Scsi\agvlfgle1 857D41E8 Device \FileSystem\cdfs \Cdfs 862D5430 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8479f1e8]<< 8479f1e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854e98a0] 854e98a0 Trace 3 CLASSPNP.SYS[892d059e] -> nt!IofCallDriver -> [0x8555c918] 8555c918 Trace 5 ACPI.sys[88b5d3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x854cf908] 854cf908 Trace \Driver\atapi[0x8547ca18] -> IRP_MJ_CREATE -> 0x8479f1e8 8479f1e8 ---- Processes - GMER 2.1 ---- Library C:\Program Files\AVG\Framework\Common\avgsvcx.exe (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x00A60000 Library C:\Program Files\AVG\Framework\Common\avgsysx.fmw.1.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x683A0000 Library C:\Program Files\AVG\Framework\Common\avgntopensslx.fmw.1.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x662B0000 Library C:\Program Files\AVG\Framework\1\avgcmlx.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x68210000 Library C:\Program Files\AVG\Framework\1\avglogx.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x6BE70000 Library C:\Program Files\AVG\Framework\1\avgcommx.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x68120000 Library C:\Program Files\AVG\Framework\1\avgmsgdispx.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x661D0000 Library C:\Program Files\AVG\Framework\1\avgsvcfmwplgx.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x5F5A0000 Library C:\Program Files\AVG\Framework\1\avgnetclix.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x65900000 Library C:\Program Files\AVG\Framework\1\avgopensslx.fmw.1.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x6EF10000 Library C:\Program Files\AVG\Framework\Common\avgfmwbasex.dll (*** hidden *** ) @ C:\Program Files\AVG\Framework\Common\avgsvcx.exe [6208] 0x5F470000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001d604c86a6 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x80 0x3C 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xFA 0x60 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6B 0x63 0x36 0xFF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001d604c86a6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x80 0x3C 0x47 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xFA 0x60 0x14 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC9 0x88 0x76 0xB0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe 0x17 0x98 0x3B 0x38 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 0xB7 0xFB 0x5F 0x94 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xBE 0xD2 0x6A 0xCD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 0x10 0x21 0xCA 0x21 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x44 0xEF 0x01 0xD5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Wooden Seal\bin\utilWoodenSeal.exe 0x53 0xDB 0xFE 0xB9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\SwiftSearch_1.10.0.25\Update\SwiftSearchAutoUpdateClient.exe 0x3C 0x52 0xFC 0xB6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x4B 0x1E 0xA7 0xB1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsd365.exe 0x82 0xC1 0x69 0xBE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsp8644.tmp\dlmgn.exe 0xA3 0x85 0x0E 0x43 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdF565.exe 0xAD 0x07 0x0D 0xF2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nse7FD5.tmp\dlmgn.exe 0x02 0x9E 0x4C 0x76 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsv9ADC.tmp\dlmgn.exe 0xF9 0x74 0xC7 0xA7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\avg7B52.exe 0x92 0x0B 0xD6 0x8A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Aramejskie PsP\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_154.exe 0xE7 0x78 0xB6 0x93 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsd38B6.exe 0xFB 0x23 0x6F 0xAA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsm7715.tmp\dlmgn.exe 0x81 0xB0 0x97 0x4C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsh7492.tmp\dlmgn.exe 0xD1 0xFB 0x88 0x79 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdB8FB.exe 0x74 0x9F 0x3E 0x68 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdB014.exe 0x30 0x51 0x03 0xCC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsfC146.tmp\dlmgn.exe 0xEE 0x34 0x21 0x77 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsd4A51.exe 0xBD 0xA8 0xB2 0xB3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdF98C.exe 0x77 0x51 0xED 0x80 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Aramejskie PsP\Desktop\farbar\FRST.exe 0x53 0x28 0x61 0x99 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@F01F674C 30 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KdjSaS011arbaaa1z C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1z.exe(2015-12-06 21:16:15) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@djSaS011arbaaa1za13a1 C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186117711\djSaS011arbaaaa1za13a1.exe(2015-12-06 21:16:34) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KdjSaS011arbaaa1za13a C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1za13a.exe(2015-12-06 21:16:52) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KdjSaS011ar C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011ar.exe(2015-12-06 21:17:11) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KdjSaS011arh C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arh.exe(2015-12-06 21:17:30) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KdjSaS011arhaaa C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaaaa.exe(2015-12-06 21:17:54) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@djSaS01121za13a1a C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611127711\djSaS011a12a13a1a.exe(2015-12-06 21:18:19) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@a12121zq C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186171411\854561araaq.exe(2015-12-06 21:18:40) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@we121za13a1ab C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623451\we1a12a13a1ab.exe(2015-12-06 21:19:03) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@we121za13a1abab C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511\we1a12a13a1abavb.exe(2007-12-20 23:04:20) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@we121za13a1abab1 C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623145111\we1a12a13a1abavb1.exe(2007-12-20 23:04:46) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@we121za13a1abab1ab C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511111\we1a12a13a1abavb1ab.exe(2007-12-20 23:04:43) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@we121za13a1abab1a C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186231451111\we1a12a13a1abavb1a.exe(2007-12-20 23:05:05) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@KdjSaS011arbaaa1z C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1z.exe(2015-12-06 21:16:15) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@KdjSaS011arhaaa C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaaaa.exe(2015-12-06 21:17:54) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@djSaS011arbaaa1za13a1 C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186117711\djSaS011arbaaaa1za13a1.exe(2015-12-06 21:16:34) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@KdjSaS011arbaaa1za13a C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1za13a.exe(2015-12-06 21:16:52) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@we121za13a1ab C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623451\we1a12a13a1ab.exe(2015-12-06 21:19:03) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@KdjSaS011ar C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011ar.exe(2015-12-06 21:17:11) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@djSaS01121za13a1a C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611127711\djSaS011a12a13a1a.exe(2015-12-06 21:18:19) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@KdjSaS011arh C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arh.exe(2015-12-06 21:17:30) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@a12121zq C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186171411\854561araaq.exe(2015-12-06 21:18:40) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@we121za13a1abab1 C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623145111\we1a12a13a1abavb1.exe(2007-12-20 23:04:46) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@we121za13a1abab C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511\we1a12a13a1abavb.exe(2007-12-20 23:04:20) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@we121za13a1abab1ab C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511111\we1a12a13a1abavb1ab.exe(2007-12-20 23:04:43) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@we121za13a1abab1a C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186231451111\we1a12a13a1abavb1a.exe(2007-12-20 23:05:05) ---- EOF - GMER 2.1 ----