GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-15 20:06:04 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2320BH_G2 rev.8909 298,09GB Running: 9c7yx80c.exe; Driver: C:\Users\JOA~1\AppData\Local\Temp\kxldypog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAdjustPrivilegesToken [0x907390A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAlpcConnectPort [0x90739020] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwAlpcSendWaitReceivePort [0x90739030] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwClose [0x907390C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwConnectPort [0x90739050] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSection [0x90739000] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateSymbolicLinkObject [0x907391B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThread [0x90739110] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwCreateThreadEx [0x90739040] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDebugActiveProcess [0x90739150] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDeviceIoControlFile [0x90739210] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwDuplicateObject [0x90739180] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwLoadDriver [0x90739160] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwMapViewOfSection [0x90739190] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenProcess [0x90739080] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenSection [0x90739070] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwOpenThread [0x90739090] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwPlugPlayControl [0x907391C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwProtectVirtualMemory [0x907390D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueryIntervalProfile [0x907394C0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwQueueApcThread [0x90739130] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwRequestWaitReplyPort [0x90739200] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeProcess [0x907394E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwResumeThread [0x907391D0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSecureConnectPort [0x90739060] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetContextThread [0x90739120] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationObject [0x907390B0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetInformationToken [0x90739010] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSetSystemInformation [0x90739170] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendProcess [0x907391F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSuspendThread [0x907391E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwSystemDebugControl [0x90739140] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateProcess [0x907390E0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwTerminateThread [0x907390F0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwUnmapViewOfSection [0x907391A0] SSDT \SystemRoot\system32\DRIVERS\klhk.sys ZwWriteVirtualMemory [0x90739100] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestPort + 14AD 82C92BB5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CCCB92 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82CD3F9C 4 Bytes [A0, 90, 73, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CD3FC4 4 Bytes [20, 90, 73, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82CD4008 4 Bytes [30, 90, 73, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82CD4058 4 Bytes [50, 90, 73, 90] {PUSH EAX; NOP ; JAE 0xffffff94} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82CD40BC 4 Bytes [00, 90, 73, 90] .text ... ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[2040] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[2040] ntdll.dll!NtProtectVirtualMemory 77545F70 5 Bytes JMP 744928A0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[2040] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: uxtheme.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[2040] USER32.dll!NotifyWinEvent + 5B2 76F6D570 4 Bytes [C0, 3C, 49, 74] {SAR BYTE [ECX+ECX*2], 0x74} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[2040] USER32.dll!NotifyWinEvent + 6AE 76F6D66C 4 Bytes [70, 3C, 49, 74] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[2040] C:\Windows\system32\ADVAPI32.dll time/date stamp mismatch; unknown module: CRYPTSP.dllunknown module: WINTRUST.dllunknown module: SspiCli.dllunknown module: bcrypt.dllunknown module: pcwum.dllunknown module: KERNELBASE.dll .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!SetScrollRange 76F58EC5 5 Bytes JMP 00A4A104 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!GetScrollInfo 76F62DA3 5 Bytes JMP 00A4A097 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!SetScrollInfo 76F648DA 5 Bytes JMP 00A4A13B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!GetScrollRange 76F8045A 5 Bytes JMP 00A4A03A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!SetScrollPos 76F804BE 5 Bytes JMP 00A4A015 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!GetScrollPos 76F80E43 5 Bytes JMP 00A4A072 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!EnableScrollBar 76F819CE 5 Bytes JMP 00A4A16F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3112] USER32.dll!ShowScrollBar 76F83C89 5 Bytes JMP 00A4A0CA C:\Program Files\CCleaner\CCleaner.exe ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: uxtheme.dllunknown module: KERNELBASE.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] C:\Windows\system32\USER32.dll time/date stamp mismatch; unknown module: CFGMGR32.dllunknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!LockWindowStation + 1BE 76F54948 5 Bytes JMP 74494670 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!GetUserObjectInformationA + 82F 76F579E7 5 Bytes JMP 74494AE0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!NotifyWinEvent + 5B2 76F6D570 4 Bytes [C0, 3C, 49, 74] {SAR BYTE [ECX+ECX*2], 0x74} .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!NotifyWinEvent + 6AE 76F6D66C 4 Bytes [70, 3C, 49, 74] .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!SetWindowsHookExA + 21 76F86D2D 5 Bytes JMP 74494A60 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!SendMessageTimeoutA + 2A 76F86DD3 5 Bytes JMP 744945E0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!GetRawInputDeviceInfoW + 10 76F9CA16 5 Bytes JMP 744948B0 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe[3600] USER32.dll!GetRawInputDeviceInfoA + E7 76FB3C80 5 Bytes JMP 74494820 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\ushata.dll .text C:\Windows\Explorer.EXE[3768] kernel32.dll!GetStartupInfoA + 238 76752048 7 Bytes JMP 669A3FF0 C:\Program Files\WinZip\FAHDll32.dll .text C:\Windows\Explorer.EXE[3768] ole32.dll!CoRevokeInitializeSpy + 582 76B69D06 7 Bytes JMP 669A4120 C:\Program Files\WinZip\FAHDll32.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 klbackupdisk.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 klbackupdisk.sys Device \Driver\BTHUSB \Device\00000084 bthport.sys Device \Driver\BTHUSB \Device\00000086 bthport.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{5AAEBA28-7E0F-4C7A-84EF-D54C8EE265C9}\Connection@Name isatap.{AA9A82B6-2906-4A5E-99D8-4EF1546863A7} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{88EFC5C4-1412-4A8E-8275-4ACD679CD94C}?\Device\{C327E45B-B22A-4B43-AD9C-AF9170E8851E}?\Device\{85D40575-0819-4D92-AD80-918CE4D89796}?\Device\{5AAEBA28-7E0F-4C7A-84EF-D54C8EE265C9}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{88EFC5C4-1412-4A8E-8275-4ACD679CD94C}"?"{C327E45B-B22A-4B43-AD9C-AF9170E8851E}"?"{85D40575-0819-4D92-AD80-918CE4D89796}"?"{5AAEBA28-7E0F-4C7A-84EF-D54C8EE265C9}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{88EFC5C4-1412-4A8E-8275-4ACD679CD94C}?\Device\TCPIP6TUNNEL_{C327E45B-B22A-4B43-AD9C-AF9170E8851E}?\Device\TCPIP6TUNNEL_{85D40575-0819-4D92-AD80-918CE4D89796}?\Device\TCPIP6TUNNEL_{5AAEBA28-7E0F-4C7A-84EF-D54C8EE265C9}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e23939a Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5AAEBA28-7E0F-4C7A-84EF-D54C8EE265C9}@InterfaceName isatap.{AA9A82B6-2906-4A5E-99D8-4EF1546863A7} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5AAEBA28-7E0F-4C7A-84EF-D54C8EE265C9}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e23939a (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 0x3E 0x8C 0xC6 0x26 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x66 0xD4 0xD3 0xBD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x7A 0xEE 0x37 0xEB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x02 0x3B 0x18 0xEE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehshell.exe 0x68 0x08 0xAB 0xC1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehrec.exe 0xA3 0xBC 0x20 0xCA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\JOA~1\AppData\Local\Temp\RarSFX0\fsljl00m.exe 0xCC 0x67 0xC0 0x94 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\JOA~1\AppData\Local\Temp\RarSFX1\file.exe 0xE1 0x14 0xDF 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\JOA~1\AppData\Local\Temp\FH4dh\file.exe 0xF1 0x62 0x01 0xA6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Joaś\AppData\Local\Instalatormoduw\instalator.exe 0xAB 0x63 0x42 0xA6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Controller\cohc.exe 0xFA 0xE1 0x38 0xED ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\ProgramData\Dongtam\Dongtam.exe 0x31 0x97 0x1B 0x86 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\ProgramData\Dongtam\pvur3mbu.exe 0xBB 0xD8 0xF3 0xB4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Common Files\yi0qctim.0nr\uninstall.exe 0x4D 0xF4 0x95 0x83 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x4E 0x46 0x1C 0xB0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0x11 0x74 0x0D 0x1C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\GameforgeLive\Games\POL_pol\AION\DirectX\DXSETUP.exe 0x67 0x39 0xD1 0x4B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\WinZip\WzPreloader.exe 0x39 0x71 0x4C 0x3E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\WinZip\WINZIP32.EXE 0x39 0x7A 0x04 0x5E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0xE9 0xA0 0x74 0xA3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Office\Office12\WINWORD.EXE 0x1E 0xEA 0x4B 0x3E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Office\Office12\EXCEL.EXE 0x19 0xF9 0x73 0x31 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xFC 0x84 0xF4 0x36 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x92 0x58 0xF3 0xE1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xCA 0xCF 0xB2 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x9A 0xF7 0x6B 0xB1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTel\wicainventory.exe 0x21 0x8E 0xA4 0x92 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x31 0xD0 0xF2 0x9C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0x79 0x62 0x09 0xC3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\aitstatic.exe 0x23 0xD0 0x58 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\WinZip\adxregistrator.exe 0x87 0x11 0x01 0x0A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\JOA~1\AppData\Local\Temp\B4F96A82-CDBF-11E5-BF3F-00247E23939A\TEST_WPF.EXE 0xD2 0x40 0xB2 0x77 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe 0xAC 0xAA 0x02 0x33 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 0x30 0x16 0xA7 0x9C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@8C3EE54F 293 ---- EOF - GMER 2.1 ----