GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-14 20:06:50 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925082 rev.3.CM 232,89GB Running: 3ml751v3.exe; Driver: C:\Users\marek\AppData\Local\Temp\pwdoypog.sys ---- System - GMER 2.1 ---- INT 0x51 ? 86335BF8 INT 0x51 ? 87F53F00 INT 0x51 ? 87F53F00 INT 0x51 ? 86335BF8 INT 0x72 ? 87F53F00 INT 0x82 ? 87F53F00 INT 0x92 ? 87F53F00 INT 0xA2 ? 87F53F00 INT 0xA2 ? 87F53F00 ---- Kernel code sections - GMER 2.1 ---- ? System32\Drivers\spwf.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F201340, 0x3E9407, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1332] ntdll.dll!RtlExitUserThread 77961C8B 5 Bytes JMP 6B45F947 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] kernel32.dll!TerminateThread 77AE457E 5 Bytes JMP 6B45F960 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] kernel32.dll!CreateThread 77AECCF6 5 Bytes JMP 6B2C7463 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!EnableWindow 7614CD8B 5 Bytes JMP 6B30A1EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DefWindowProcA 7614DB88 7 Bytes JMP 6B2C9695 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CreateWindowExA 7614DC2A 5 Bytes JMP 6B2D34B3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CreateWindowExW 76151305 5 Bytes JMP 6B32FFBB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DefWindowProcW 761603B4 7 Bytes JMP 6B327C92 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxParamW 761710B0 5 Bytes JMP 6B26187B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamW 76172EF5 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamW 76172EF5 5 Bytes JMP 6B45F2F9 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxParamA 761881BC 5 Bytes JMP 6B45F294 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamA 761884E7 5 Bytes JMP 6B45F35E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxIndirectA 7619D549 5 Bytes JMP 6B45F21B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxIndirectW 7619D643 5 Bytes JMP 6B45F1A2 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxExA 7619D6A9 5 Bytes JMP 6B45F13E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxExW 7619D6CD 5 Bytes JMP 6B45F0DA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1332] ole32.dll!OleLoadFromStream 77591E80 5 Bytes JMP 6B45FB47 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!LdrLoadDll 779493BE 5 Bytes JMP 748D2065 C:\Program Files\Mozilla Thunderbird\mozglue.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtCreateFile 7798433C 5 Bytes JMP 571ECC35 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtFlushBuffersFile 7798483C 5 Bytes JMP 571ECCB8 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtQueryFullAttributesFile 77984D6C 5 Bytes JMP 571ECCED C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtReadFile 77984F9C 5 Bytes JMP 571ECD55 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtReadFileScatter 77984FAC 5 Bytes JMP 571ECDA0 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtWriteFile 779855AC 5 Bytes JMP 571ECDEB C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] ntdll.dll!NtWriteFileGather 779855BC 5 Bytes JMP 571ECE36 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] kernel32.dll!HeapSetInformation + 26 77ACA9A0 7 Bytes JMP 58299BD6 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] kernel32.dll!LockResource + C 77AE6C73 7 Bytes JMP 571B7DE5 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] kernel32.dll!VirtualAllocEx + 54 77AEB0F0 7 Bytes JMP 571BB6CC C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] USER32.dll!GetWindowInfo 7615428E 5 Bytes JMP 57E492DD C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5832] GDI32.dll!Rectangle + AE 75FE7C4F 7 Bytes JMP 571B520F C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] kernel32.dll!HeapSetInformation + 26 77ACA9A0 7 Bytes JMP 54F95747 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] kernel32.dll!LockResource + C 77AE6C73 7 Bytes JMP 552250C2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] kernel32.dll!VirtualAllocEx + 54 77AEB0F0 7 Bytes JMP 55225ABC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] USER32.dll!CreateWindowExA 7614DC2A 5 Bytes JMP 5530B40F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] USER32.dll!CreateWindowExW 76151305 5 Bytes JMP 54F732C7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] USER32.dll!GetWindowInfo 7615428E 5 Bytes JMP 55D33F44 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6180] GDI32.dll!Rectangle + AE 75FE7C4F 7 Bytes JMP 552249EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!CreateWindowExA 7614DC2A 5 Bytes JMP 5530B40F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!InSendMessageEx + 4C9 7614E7C8 7 Bytes JMP 55BFF0B9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!CreateWindowExW 76151305 5 Bytes JMP 54F732C7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!CreateWindowExW + AA 761513AF 7 Bytes JMP 55BFF18E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!GetWindowInfo 7615428E 5 Bytes JMP 55C01162 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!SetMenuItemBitmaps + 71 761614EE 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[7948] USER32.dll!SetMenuItemBitmaps + 71 761614EE 7 Bytes JMP 55BFF883 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateFile + 6 77984342 4 Bytes [28, F8, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateFile + B 77984347 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateKey + 6 77984382 4 Bytes [68, F9, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateKey + B 77984387 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateMutant + 6 779843B2 4 Bytes [28, FA, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateMutant + B 779843B7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateSection + 6 77984432 4 Bytes [68, FA, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtCreateSection + B 77984437 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtMapViewOfSection + 6 77984A92 4 Bytes [A8, FC, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtMapViewOfSection + B 77984A97 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenFile + 6 77984B22 4 Bytes [68, F8, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenFile + B 77984B27 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenKey + 6 77984B52 4 Bytes [A8, F9, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenKey + B 77984B57 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenMutant + 6 77984B72 4 Bytes CALL 76985270 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenMutant + B 77984B77 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenProcess + 6 77984BA2 4 Bytes [28, FB, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenProcess + B 77984BA7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenProcessToken + 6 77984BB2 4 Bytes [68, FB, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenProcessToken + B 77984BB7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenProcessTokenEx + 6 77984BC2 4 Bytes [28, FC, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenProcessTokenEx + B 77984BC7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenSection + 6 77984BD2 4 Bytes [A8, FA, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenSection + B 77984BD7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenThread + 6 77984C12 4 Bytes CALL 76985311 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenThread + B 77984C17 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenThreadToken + 6 77984C22 4 Bytes CALL 76985322 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenThreadToken + B 77984C27 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenThreadTokenEx + 6 77984C32 4 Bytes [68, FC, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtOpenThreadTokenEx + B 77984C37 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtQueryAttributesFile + 6 77984CC2 4 Bytes [A8, F8, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtQueryAttributesFile + B 77984CC7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtQueryFullAttributesFile + 6 77984D72 4 Bytes CALL 7698546F C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtQueryFullAttributesFile + B 77984D77 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtSetInformationFile + 6 77985252 4 Bytes [28, F9, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtSetInformationFile + B 77985257 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtSetInformationThread + 6 779852A2 4 Bytes [A8, FB, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtSetInformationThread + B 779852A7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtUnmapViewOfSection + 6 77985542 4 Bytes CALL 76985C43 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ntdll.dll!NtUnmapViewOfSection + B 77985547 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] kernel32.dll!CreateProcessW 77AA1BF3 5 Bytes JMP 000800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] kernel32.dll!CreateProcessA 77AA1C28 5 Bytes JMP 000800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] kernel32.dll!OpenEventW 77ABC033 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] kernel32.dll!CreateEventW 77AEB9FE 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!DeleteObject 75FE5A37 5 Bytes JMP 000B01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetDeviceCaps 75FE617F 5 Bytes JMP 000B03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SelectObject 75FE62A0 5 Bytes JMP 000B05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetTextColor 75FE666B 5 Bytes JMP 000B0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetBkMode 75FE6716 5 Bytes JMP 000B08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!DeleteDC 75FE68CD 5 Bytes JMP 000B0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetCurrentObject 75FE6B58 5 Bytes JMP 000B0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetStretchBltMode 75FE7206 5 Bytes JMP 000B06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SaveDC 75FE754D 5 Bytes JMP 000B0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!RestoreDC 75FE7608 5 Bytes JMP 000B0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!StretchDIBits 75FE783D 5 Bytes JMP 000B0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!ExtSelectClipRgn 75FE7966 5 Bytes JMP 000B02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SelectClipRgn 75FE7A67 5 Bytes JMP 000B05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!Rectangle 75FE7BA1 5 Bytes JMP 000B09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextAlign 75FE8180 5 Bytes JMP 000B0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetTextAlign 75FE846B 5 Bytes JMP 000B09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!ExtTextOutW 75FE8501 5 Bytes JMP 000B0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!MoveToEx 75FE8806 5 Bytes JMP 000B0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextMetricsW 75FE8A3E 5 Bytes JMP 000B0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!IntersectClipRect 75FE8B21 5 Bytes JMP 000B03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetClipBox 75FE902E 5 Bytes JMP 000B0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetICMMode 75FE94A4 5 Bytes JMP 000B0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!CreateDCW 75FEA8D5 5 Bytes JMP 000B00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!CreateDCA 75FEAA01 5 Bytes JMP 000B00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!CreateICW 75FEB2A1 5 Bytes JMP 000B0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextFaceW 75FEB5EF 5 Bytes JMP 000B0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetFontData 75FEBA24 5 Bytes JMP 000B0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextExtentPoint32W 75FEBFD2 5 Bytes JMP 000B0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetWorldTransform 75FEC422 5 Bytes JMP 000B06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!LineTo 75FEC616 5 Bytes JMP 000B0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextMetricsA 75FECCA3 5 Bytes JMP 000B0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!ExtTextOutA 75FF0141 5 Bytes JMP 000B0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!ExtEscape 75FF224F 5 Bytes JMP 000B02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!Escape 75FF2799 5 Bytes JMP 000B0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!ResetDCW 75FF30DA 5 Bytes JMP 000B0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!EndPage 75FF3706 5 Bytes JMP 000B0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetPolyFillMode 75FF617B 5 Bytes JMP 000B0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SetMiterLimit 75FF628A 5 Bytes JMP 000B0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextFaceA 75FFF596 5 Bytes JMP 000B0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetTextExtentPoint32A 75FFF90A 5 Bytes JMP 000B0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!GetGlyphOutlineW 7600A5F7 5 Bytes JMP 000B0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!CreateScalableFontResourceW 7600CA53 5 Bytes JMP 000B0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!AddFontResourceW 7600CE5B 5 Bytes JMP 000B0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!RemoveFontResourceW 7600D2F1 5 Bytes JMP 000B0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!AbortDoc 76012FC8 5 Bytes JMP 000B0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!EndDoc 760133DC 5 Bytes JMP 000B01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!StartPage 760134C7 5 Bytes JMP 000B0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!StartDocW 76013FAB 5 Bytes JMP 000B07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!BeginPath 76014765 5 Bytes JMP 000B0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!SelectClipPath 760147BC 5 Bytes JMP 000B0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!CloseFigure 76014817 5 Bytes JMP 000B0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!EndPath 7601486E 5 Bytes JMP 000B0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!StrokePath 76014AA0 5 Bytes JMP 000B07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!FillPath 76014B2C 5 Bytes JMP 000B0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!PolylineTo 76014F95 5 Bytes JMP 000B04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!PolyBezierTo 76015025 5 Bytes JMP 000B04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] GDI32.dll!PolyDraw 760150D6 5 Bytes JMP 000B08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!SetCursor 7614D37D 5 Bytes JMP 000C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!RegisterClipboardFormatW 7614D6AC 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!RegisterClipboardFormatW 7614D6AC 5 Bytes JMP 000C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!ActivateKeyboardLayout 7615478C 5 Bytes JMP 000C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!IsWindowVisible 7615878A 7 Bytes JMP 000C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!MonitorFromWindow 761588D4 4 Bytes JMP 000C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!MonitorFromWindow + 5 761588D9 2 Bytes [CC, CC] {INT 3 ; INT 3 } .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!ScreenToClient 76158C56 7 Bytes JMP 000C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClientRect 76158F0D 7 Bytes JMP 000C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetParent 761590AA 7 Bytes JMP 000C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!RegisterClipboardFormatA 7615A111 5 Bytes JMP 000C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!PostMessageW 7615A175 5 Bytes JMP 000C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!MapWindowPoints 7615A30D 5 Bytes JMP 000C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClipboardFormatNameA 7615A552 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetOpenClipboardWindow 761626A6 5 Bytes JMP 000C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!SetClipboardViewer 7616BA2D 5 Bytes JMP 000C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!IsClipboardFormatAvailable 7616C2E3 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!CloseClipboard 7616C2F7 5 Bytes JMP 000C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!OpenClipboard 7616C31D 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetTopWindow 7616CE0A 7 Bytes JMP 000C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClipboardSequenceNumber 7616D8B7 5 Bytes JMP 000C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!ChangeClipboardChain 7616DF83 5 Bytes JMP 000C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!CountClipboardFormats 76170048 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClipboardOwner 761726EF 5 Bytes JMP 000C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!SetClipboardData 761863F8 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!EnumClipboardFormats 76186D6D 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!SetCursorPos 76187009 5 Bytes JMP 000C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClipboardData 761871B9 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClipboardFormatNameW 7618AA0F 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!EmptyClipboard 761A39EF 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetClipboardViewer 761A3A51 5 Bytes JMP 000C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] USER32.dll!GetPriorityClipboardFormat 761A3B53 5 Bytes JMP 000C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ole32.dll!OleGetClipboard 775E73F1 5 Bytes JMP 000D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ole32.dll!OleSetClipboard 77611109 5 Bytes JMP 000D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] ole32.dll!OleIsCurrentClipboard 7761A879 5 Bytes JMP 000D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!FreeContextBuffer 75E72D83 5 Bytes JMP 000F00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!DeleteSecurityContext 75E72F18 5 Bytes JMP 000F0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!FreeCredentialsHandle 75E73598 5 Bytes JMP 000F0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!EncryptMessage 75E73745 5 Bytes JMP 000F01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!DecryptMessage 75E73813 5 Bytes JMP 000F0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!InitializeSecurityContextA 75E787DF 5 Bytes JMP 000F0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!AcquireCredentialsHandleA 75E78A43 5 Bytes JMP 000F0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!QueryContextAttributesA 75E78E77 5 Bytes JMP 000F0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!ApplyControlToken 75E7DE4F 5 Bytes JMP 000F01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[8024] Secur32.dll!QueryCredentialsAttributesA 75E7E052 5 Bytes JMP 000F00B0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [74E876CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74EDA3FD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [74E8B9D2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74E7F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74E874A1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74E7E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74EB8085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [74E8D910] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74E7FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [74E7FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74E771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [74F0CE02] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [74EAC5BC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74E7D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [74E76853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74E7687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll IAT C:\Windows\explorer.exe[2024] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74E82AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19535_none_9e53b5a6ca14f8c8\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 863361F8 Device \FileSystem\fastfat \FatCdrom AD72B500 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\volmgr \Device\VolMgrControl 8599B1F8 Device \Driver\usbuhci \Device\USBPDO-0 87E0A1F8 Device \Driver\sptd \Device\1994697605 spwf.sys Device \Driver\usbuhci \Device\USBPDO-1 87E0A1F8 Device \Driver\usbuhci \Device\USBPDO-2 87E0A1F8 Device \Driver\usbehci \Device\USBPDO-3 87E101F8 Device \Driver\usbuhci \Device\USBPDO-4 87E0A1F8 Device \Driver\usbuhci \Device\USBPDO-5 87E0A1F8 Device \Driver\usbuhci \Device\USBPDO-6 87E0A1F8 Device \Driver\volmgr \Device\HarddiskVolume1 8599B1F8 Device \Driver\usbehci \Device\USBPDO-7 87E101F8 Device \Driver\PCI_PNP1589 \Device\00000058 spwf.sys Device \Driver\volmgr \Device\HarddiskVolume2 8599B1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{AB84BEDD-A684-4B0A-BCA0-9B4F56FC3325} 8AB1F1F8 Device \Driver\cdrom \Device\CdRom0 880951F8 Device \Driver\cdrom \Device\CdRom0 863F6911 Device \Driver\cdrom \Device\CdRom1 880951F8 Device \Driver\cdrom \Device\CdRom1 863F6911 Device \Driver\iaStor \Device\Ide\iaStor0 [82F5D720] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\iaStor0 863F8014 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [82F5D720] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 863F8014 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [82F5D720] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 863F8014 Device \Driver\cdrom \Device\CdRom2 880951F8 Device \Driver\cdrom \Device\CdRom2 863F6911 Device \Driver\BTHUSB \Device\00000080 bthport.sys Device \Driver\netbt \Device\NetBt_Wins_Export 8AB1F1F8 Device \FileSystem\fastfat \Fat AD72B500 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys Device \FileSystem\cdfs \Cdfs 85AB6500 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x863f8014]<< 863f8014 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87612788] 87612788 Trace 3 CLASSPNP.SYS[8b1cc8b3] -> nt!IofCallDriver -> [0x86a45bc8] 86a45bc8 Trace 5 acpi.sys[82e116bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8639e028] 8639e028 Trace \Driver\iaStor[0x863f4e20] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x863f8014 863f8014 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????t??? ?????????????????????#????????????????????WmiCollectPerfData??????????????????? ?????????????????????#????????????????????????????????????l???????????????????????????????????????????????????CSAFD NetBIOS [\Device\NetBT_Tcpip6_{AB84BEDD-A684-4B0A-BCA0-9??????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B03283F2-D92B-447F-99C4-73EF2DA30B97}] DATAGRAM 6??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????WmiApRpl.ini????????????????????????????????????????????????????????\??\C:\Program Files\Mozilla Firefox\tobedeleted\rep7070.tmp??\??\C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe??\??\C:\Program Files\Microsoft Silverlight\5.1.40728.0\agcore.dll??\??\C:\Program Files\Microsoft Silverlight\5.1.40728.0\agcp.exe??\??\C:\Program Files\Microsoft Silverlight\5.1.40728.0\ar\Microsoft.VisualBasic.resources.dll??\??\C:\Pr Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@8c3ae3df8e2f 0x22 0xA1 0xC2 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@502e5c7a81fd 0xE3 0xF1 0x64 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 15698 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x62 0x58 0x3A 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B03283F2-D92B-447F-99C4-73EF2DA30B97}@LeaseObtainedTime 1455448023 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B03283F2-D92B-447F-99C4-73EF2DA30B97}@T1 1455491223 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B03283F2-D92B-447F-99C4-73EF2DA30B97}@T2 1455523623 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B03283F2-D92B-447F-99C4-73EF2DA30B97}@LeaseTerminatesTime 1455534423 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@8c3ae3df8e2f 0x22 0xA1 0xC2 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@502e5c7a81fd 0xE3 0xF1 0x64 0x4A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x62 0x58 0x3A 0xEE ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9B592DB4091045C40BE8336ACE9A22FD\Usage@ThinkVantage_Access_Con 1213103988 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\RRbackups\C 0 bytes File C:\RRbackups\common 0 bytes File C:\RRbackups\common\backups.dat 8192 bytes File C:\RRbackups\common\bmgrmode.dat 29 bytes File C:\RRbackups\common\css.dat 8192 bytes File C:\RRbackups\common\hints.dat 8192 bytes File C:\RRbackups\common\mnd.dat 8192 bytes File C:\RRbackups\common\regcerts.dat 8192 bytes File C:\RRbackups\common\restore.log 110 bytes File C:\RRbackups\common\rr.log 337330 bytes File C:\RRbackups\common\rr_bcdenum.dat 4609 bytes File C:\RRbackups\common\SAM 262144 bytes File C:\RRbackups\common\seccache.dat 8192 bytes File C:\RRbackups\common\secpolicy.dat 28672 bytes File C:\RRbackups\common\settings.dat 32768 bytes File C:\RRbackups\common\system.dat 12288 bytes File C:\RRbackups\common\tvtcmn.dat 8192 bytes File C:\RRbackups\common\tvtns.bin 23 bytes File C:\RRbackups\common\usersids.dat 21840 bytes File C:\RRbackups\Documents and Settings 0 bytes File C:\RRbackups\Documents and Settings\Administrator 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-500\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 77 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500\f209e1c6-e19a-4e81-806e-a0fb1fc39c7f 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500\1e617109-803e-4be7-9818-0d7338a89cf9 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\marek 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\83aa4cc77f591dfc2374580bbd95f6ba_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\22296ea5bcbaac0e7e6cac8ee21ae6d8_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1301 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\43e3a4a9826996aba5d7727553958fbf_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1285 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\5550e7cb640347345a345c63aa7a6848_ad18dae1-ed09-4d09-be99-7f96ddc5d568 59 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\62a45886e06c7d046ea8b819bec0598a_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\64823036320bd02b6b09186b90099f5d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 46 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\6b29ae44e85efac3c72ff4d1865d73f1_ad18dae1-ed09-4d09-be99-7f96ddc5d568 53 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\89facafc0026437efa3c336e003f3316_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1311 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\8f71098770f72c7a67cd8f1151619865_ad18dae1-ed09-4d09-be99-7f96ddc5d568 54 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\90465be05b8939c84e21979d69c28c0b_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1294 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 77 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\a64731a25811fa88f16bf243447fbb69_ad18dae1-ed09-4d09-be99-7f96ddc5d568 65 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\dd508fb67e3df5d722d6ce98ff404371_ad18dae1-ed09-4d09-be99-7f96ddc5d568 63 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\5b38782e-ae70-419c-8df5-6b82275d2f95 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\a32f5dc3-5bad-4bfe-b51e-fae93391570f 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\11f4c52e-8f9e-4c96-a938-b4897d9cca6a 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\15d2caad-9a5c-4794-89ce-6610631656b7 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\2b45af93-21cb-45d5-bcfb-5d08f87852ec 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\44ff3299-100d-4da3-b232-533418ad5e52 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\45e598ba-36e4-4c82-9654-4f6a85595a01 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\4bc9725b-ee04-4570-ba63-c2e59b52c16b 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\558777e6-e2d0-4b42-8020-0340931dfbee 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\7575f1b0-58a4-4f9f-af63-96d06bbfd165 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\7af7b86a-46df-4601-aa13-5dc1af526cc6 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\8014ad1e-876c-4993-bac0-4555e1bb9cc5 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\89a51020-f432-45ce-8d68-a0475934c6d2 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\982516f1-5e90-4fba-b7b2-88d2f059b413 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\9b316cad-6698-476a-977e-9c9b1afd3a6f 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\9ef0d5ac-f89b-4750-94fd-50cd2ddcbc26 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\a4cc1a2c-380d-49c9-8b81-693f3119bb46 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\aa05138d-445b-410c-872a-71eeda8eda23 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\b75efed0-5f47-4962-a13e-9f9bf64ac151 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\be8e66a5-5463-4a2a-a5ab-a91a396ac179 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\c5032c90-3888-4c84-a1f2-46712f1e1c00 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\c9b30038-a00f-4277-9687-48d27ba3bfb7 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\ccbc6ea8-cdfc-45fb-9531-0d62912ef565 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\da121dd6-1e30-4ab3-915c-c6c52521e9f3 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\dc1a2530-0c1a-465c-9f2b-ded409de93f3 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\e7d86958-5282-4c6c-8de2-56a0b1488dec 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\efe5a180-27fa-4079-a366-e28dc345555d 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\f7cc761c-b7b4-4490-9fb7-3e892b578064 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\f9b9965f-2a53-4616-97e4-10ba9329ffe6 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2F152460653AB478A5AF3DE2A2FADD941EBFD293 824 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\87705B8E2DEBBBC68C7359881FED73527C8F6F4D 1010 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Keys 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F2167802900C3689B22CA29A271BBA4C76B76266 152 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\CRLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\CTLs 0 bytes File C:\RRbackups\ProgramData 0 bytes File C:\RRbackups\ProgramData\Lenovo 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\ProgramData\Microsoft 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\025534d3b58679fb8e58cab0d2477dfa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1757 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2a4ad61fa149c392e4743d21f2b24756_ad18dae1-ed09-4d09-be99-7f96ddc5d568 2087 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\89facafc0026437efa3c336e003f3316_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1319 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8d2450622ab7fcd10abb073fb349a251_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1319 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 907 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d013304477f3689e5815d4051f89c4af_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1313 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ec0d180d427673e2fc3a72cb659934ca_ad18dae1-ed09-4d09-be99-7f96ddc5d568 913 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4eccd106f69e31c1b12304e5463bb71d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 56 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6b29ae44e85efac3c72ff4d1865d73f1_ad18dae1-ed09-4d09-be99-7f96ddc5d568 53 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_ad18dae1-ed09-4d09-be99-7f96ddc5d568 47 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_ad18dae1-ed09-4d09-be99-7f96ddc5d568 54 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b973ec0ff915c48a18fe09064ce3a22d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 56 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_ad18dae1-ed09-4d09-be99-7f96ddc5d568 899 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\dd508fb67e3df5d722d6ce98ff404371_ad18dae1-ed09-4d09-be99-7f96ddc5d568 63 bytes File C:\RRbackups\Q 0 bytes File C:\RRbackups\S 0 bytes File C:\RRbackups\SIS 0 bytes File C:\RRbackups\SIS\C 0 bytes File C:\RRbackups\SIS\Q 0 bytes File C:\RRbackups\SIS\S 0 bytes File C:\Users\marek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SO276Q7C\mt[1].htm 2917 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\E380215C3A6A478691E27FDFCA774B8D20D50571 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\C8618264D328C1287F427BEA269DD09857181589 44274 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\E069D782B16B72EA97172BDBE993AEFB448B6D54 44214 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\21175697B23FC9954A9EE65A5B298D4E9ADD497E 113 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\5FA8C6137E70C8F226AE38B3D0AF1FC2DDBD52C4 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\5DA4BC9974F4FE6AA87D239B27264BB04978658F 4281 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\32A228AA9A6630C74FD2EF83C92D5630116D9801 44006 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\02ED0A2A6AAE8B7DBADA889991C64EF585DDDFD8 44108 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\1EFB1D226BA83D0F0E0A5A2312CA8C8837D39728 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\98965FD025387DBEA627CD288CD41C507632A0CA 94075 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\CCC3CB974C46D3DE48A57A487C3FBD214EEDE164 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\000D73BCD19273778BB478FB3C3FB640A634FF34 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\88BF959937500177B4BADD6BEEB630FD1B2802C4 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\6133A73D7EFE996FAF3D4036620840525EB819E0 44287 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\D6B822C968D0DC165E6EA3C12561F45CD3476A04 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\FEBE7DE135C0486047A7CB55652AB94E13746110 44387 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\0E76810536B43F215BEBF79B850D3ABEB211A665 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\D15F078C9E8F1D4B4487388169F62DD1BF23AE1D 44341 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\C3051A25CA269AECBA2A0238316366BF6734BD56 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\684B22B6CD1D033D8721E2DD59E2825071218A07 365 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\E0DB7D6F1E575CE04CFF1ECABC257501AA4ACB44 43907 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\FE37DEA711CE6C990038AF85ED819DF2152F42D2 3523 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\801139DA733BEBDE97022A3ECD5B0B750B09D9D2 44169 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\A5424AD0C28CFA642F459F705FB3ECCF32D5126C 59907 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\107FFCD003D747A877D142AA99DBEBC4EA35D220 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\0214B228766BEDE8C31C912CEACFF7A950DFE79B 44208 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\453F7BBB378F5B548C7302A80590D4AE752D8CD1 44223 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\6A39550F98D8AA9F6A70373D339E1E19CA10DF35 44562 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\ACC992C543CA97F5DA45BEC9F5D9B9A96402620F 44477 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\41816D2B74BF218470581CB8A4F03CB74939CCEA 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\AA8F9FD5E173AE9ABD7074EE51B54881A61E67F3 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\5151657CA6D76C3EBAF1125E6CA9A9C9BDBE14D4 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\9C29DC0F30F82C805FAAAA1ABD0A35D424A4D3E5 44312 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\4707A53C836EBA20758226FD55104BBDF8AADA58 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\F3460FC16F5BEB81BDD14579C31E42680CBD13CD 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\E45B07C24F096B29BBCDB2B31B7ADEFA0F86EFAF 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\232278EBC0C670365F32453F0B76B28570C702DC 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\344CCEA9E2E405B2D7B0D94B565FB76007453D2E 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\08C9EB7143C26EC2BD739D334C4BBC2B467B0816 44159 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\7EE3C7E2DF974E0A4D87EFE69DDBCF03B2C54599 44253 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\8D2620DE3430DFDC7E30279F31960F0933287370 44007 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\A706ABEA68E347611EEF9A81997FF823C9C477CE 44670 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\AD902EF9220789AABEFAC480B72CC406B32F0720 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\F1A21DB1B5820394B2B22237AB71E6CBD79F143B 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\F82A126230C78D346BD3F74BEAF1C642915F4DFA 44510 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\B1BE60BC9C6A193706EEA265E6EF2F0CAF57591D 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\C035304CF50152AAA62E4B0242D987D0A3581247 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\E752891BECE596CB1C217B37AE8D210385C0E5BC 44679 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\214CA7121D37FEE696325C57CCBCB680F0B7B0F3 44169 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\D0DB62AAA7FB232CFE9E583711204484F73D51A5 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\9F4C72580ED1D39F8DCDA8801CF52BE64A00092F 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\A9A41A6782EFA5C4D70E080210C4BE6F82FBE102 42173 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\3E4D1326346E526001852BD60754155E96751C9F 44460 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\4AD211C6C28B28C9ED808942BC8AEEEDBBF2B405 44525 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\6E6FE1FBCEC4519AA3EE40EF61D085D64B92D9FD 44241 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\FB17D2BEFC4344B873C362633E7A2A1431DF8D23 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\877EF8BFA2367E650697E9E094D3A902A3FD2940 44483 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\8792267AA2B9A5A8182FB3BAD0E165B875251068 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\EDA2562DBD8942C97B54B24B313D780D7640B1A5 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\0ADF3F3D460F2106548C4EACD04896E077D5EAFE 44511 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\D99FB9D6247CF2F6D9F50691A41F11D1B50D66B8 44694 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\203B1A211305BE3CAA3B92BD7A2C4FB943BD3141 3497 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\D8D8223A02894E5E18529A44BDE0C39D3C7B8E61 43929 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\6010F5A78C4F4631B984BAA4DD0127117F48C964 44657 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\3160B2D4020C7F982F8608E32FA52E8D74C91537 44580 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\77F04AD302C92421828DA672283FB8854F40D2D6 44613 bytes File C:\Users\marek\AppData\Local\Mozilla\Firefox\Profiles\0lzt26ep.default-1427745489885\cache2\entries\D8A9664FF714D38E3EACFCAF0C3AED5B0F514AC3 3497 bytes ---- EOF - GMER 2.1 ----