GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-09 22:55:53 Windows 6.1.7601 Service Pack 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_750_EVO_250GB rev.MAT01B6Q 232,89GB Running: 0odmtrbr.exe; Driver: E:\Temp\uwldqpob.sys ---- System - GMER 2.2 ---- SSDT 87864BB8 ZwAlertResumeThread SSDT 87754128 ZwAlertThread SSDT 8775A520 ZwAllocateVirtualMemory SSDT 876A1378 ZwAlpcConnectPort SSDT 8773EA80 ZwAssignProcessToJobObject SSDT 87864AD0 ZwCreateMutant SSDT 8773E8C0 ZwCreateSymbolicLinkObject SSDT 8774E068 ZwCreateThread SSDT 8773E8F0 ZwCreateThreadEx SSDT 8773EB38 ZwDebugActiveProcess SSDT 8786BD00 ZwDuplicateObject SSDT 8773DB50 ZwFreeVirtualMemory SSDT 87864A20 ZwImpersonateAnonymousToken SSDT 87864B00 ZwImpersonateThread SSDT 8774D370 ZwLoadDriver SSDT 8773DA80 ZwMapViewOfSection SSDT 87864AA0 ZwOpenEvent SSDT 8787E068 ZwOpenProcess SSDT 878640D8 ZwOpenProcessToken SSDT 8773ED30 ZwOpenSection SSDT 8786BD40 ZwOpenThread SSDT 8773E9C0 ZwProtectVirtualMemory SSDT 8775BF48 ZwQueueApcThread SSDT 8775BE88 ZwQueueApcThreadEx SSDT 8775BDC8 ZwReadVirtualMemory SSDT 87864CF8 ZwResumeThread SSDT 87864F20 ZwSetContextThread SSDT 87864FD8 ZwSetInformationProcess SSDT 8773EBF0 ZwSetSystemInformation SSDT 87759428 ZwSuspendProcess SSDT 87864DB0 ZwSuspendThread SSDT 865CCE18 ZwTerminateProcess SSDT 87864E68 ZwTerminateThread SSDT 8773D9C8 ZwUnmapViewOfSection SSDT 8774EA30 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 8384CF15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83887232 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 8388E630 8 Bytes [B8, 4B, 86, 87, 28, 41, 75, ...] {MOV EAX, 0x2887864b; INC ECX; JNZ 0xffffff8f} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 8388E648 4 Bytes [20, A5, 75, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 8388E654 4 Bytes [78, 13, 6A, 87] {JS 0x15; PUSH -0x79} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 8388E6A8 4 Bytes JMP F11C8773 .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 8388E724 4 Bytes [D0, 4A, 86, 87] .text ... ---- User code sections - GMER 2.2 ---- .text H:\Pakiety\AnalizaWind7\0odmtrbr.exe[1420] ntdll.dll!NtTerminateThread 778377B8 5 Bytes JMP 00020050 .text H:\Pakiety\AnalizaWind7\0odmtrbr.exe[1420] ADVAPI32.dll!LogonUserExA + 16E 769B2AA3 7 Bytes JMP 00220048 .text H:\Pakiety\AnalizaWind7\0odmtrbr.exe[1420] ADVAPI32.dll!EncryptFileW + 4A 769B2AF2 7 Bytes JMP 0022012A .text H:\Pakiety\AnalizaWind7\0odmtrbr.exe[1420] USER32.dll!ChangeWindowMessageFilterEx + F 761824DF 7 Bytes JMP 00220BD6 .text H:\Pakiety\AnalizaWind7\0odmtrbr.exe[1420] USER32.dll!RecordShutdownReason + 372 761C078A 7 Bytes JMP 00220AF4 .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!SetScrollRange 76178ECD 5 Bytes JMP 005C1702 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!GetScrollInfo 76182DAB 5 Bytes JMP 005C1689 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!SetScrollInfo 761848E2 5 Bytes JMP 005C173F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!GetScrollRange 761A0472 5 Bytes JMP 005C1620 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!SetScrollPos 761A04D6 5 Bytes JMP 005C15F5 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!GetScrollPos 761A0E5B 5 Bytes JMP 005C165E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!EnableScrollBar 761A19E6 5 Bytes JMP 005C1779 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2020] USER32.dll!ShowScrollBar 761A3CA1 5 Bytes JMP 005C16C2 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Webroot\WRSA.exe[2064] ntdll.dll!NtTerminateThread 778377B8 5 Bytes JMP 00020050 .text C:\Program Files\Webroot\WRSA.exe[2064] ADVAPI32.dll!LogonUserExA + 16E 769B2AA3 7 Bytes JMP 00250048 .text C:\Program Files\Webroot\WRSA.exe[2064] ADVAPI32.dll!EncryptFileW + 4A 769B2AF2 7 Bytes JMP 0025012A .text C:\Program Files\Webroot\WRSA.exe[2064] USER32.dll!ChangeWindowMessageFilterEx + F 761824DF 7 Bytes JMP 00250D9C .text C:\Program Files\Webroot\WRSA.exe[2064] USER32.dll!RecordShutdownReason + 372 761C078A 7 Bytes JMP 00250CBA .text C:\Windows\Explorer.EXE[2320] SHLWAPI.dll!ShellMessageBoxW 764DDDD1 5 Bytes JMP 6F4E6980 C:\Windows\system32\WRusr.dll .text C:\Program Files\Microsoft Office\Office\FINDFAST.EXE[2844] ntdll.dll!NtTerminateThread 778377B8 5 Bytes JMP 00020050 .text C:\Program Files\Microsoft Office\Office\FINDFAST.EXE[2844] USER32.dll!ChangeWindowMessageFilterEx + F 761824DF 7 Bytes JMP 00200BD6 .text C:\Program Files\Microsoft Office\Office\FINDFAST.EXE[2844] USER32.dll!RecordShutdownReason + 372 761C078A 7 Bytes JMP 00200AF4 .text C:\Program Files\Microsoft Office\Office\FINDFAST.EXE[2844] ADVAPI32.dll!LogonUserExA + 16E 769B2AA3 7 Bytes JMP 00200048 .text C:\Program Files\Microsoft Office\Office\FINDFAST.EXE[2844] ADVAPI32.dll!EncryptFileW + 4A 769B2AF2 7 Bytes JMP 0020012A .text C:\Program Files\OO Software\Defrag\oodag.exe[3140] ntdll.dll!NtTerminateThread 778377B8 5 Bytes JMP 00020050 .text C:\Program Files\OO Software\Defrag\oodag.exe[3140] kernel32.dll!SetUnhandledExceptionFilter 75B9F6AB 5 Bytes JMP 00401B80 C:\Program Files\OO Software\Defrag\oodag.exe .text C:\Program Files\OO Software\Defrag\oodag.exe[3140] ADVAPI32.dll!LogonUserExA + 16E 769B2AA3 7 Bytes JMP 00210048 .text C:\Program Files\OO Software\Defrag\oodag.exe[3140] ADVAPI32.dll!EncryptFileW + 4A 769B2AF2 7 Bytes JMP 0021012A .text C:\Program Files\OO Software\Defrag\oodag.exe[3140] USER32.dll!ChangeWindowMessageFilterEx + F 761824DF 7 Bytes JMP 00210E80 .text C:\Program Files\OO Software\Defrag\oodag.exe[3140] USER32.dll!RecordShutdownReason + 372 761C078A 7 Bytes JMP 00210D9E .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] kernel32.dll!LoadLibraryExW 75B95281 5 Bytes JMP 6F4E6D80 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] USER32.dll!CreateWindowExA 7617BF48 5 Bytes JMP 6F4E07D0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] USER32.dll!CreateWindowExW 7617EC84 5 Bytes JMP 6F4E0830 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] USER32.dll!DrawTextExW 761858A4 5 Bytes JMP 6F4E06C0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] USER32.dll!SetWindowTextW 7618613B 5 Bytes JMP 6F4E0710 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] USER32.dll!SetClipboardData 7619297A 5 Bytes JMP 6F4EAC40 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] USER32.dll!SetWindowTextA 761A0C73 5 Bytes JMP 6F4E0750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] GDI32.dll!BitBlt 779E72C0 5 Bytes JMP 6F4EAB50 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] GDI32.dll!TextOutW 779EFF21 5 Bytes JMP 6F4E6C10 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] WS2_32.dll!recv 76A26826 5 Bytes JMP 6F4ED750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5096] WS2_32.dll!send 76A26C19 5 Bytes JMP 6F4E9E20 C:\Windows\system32\WRusr.dll .text C:\Windows\explorer.exe[5124] SHLWAPI.dll!ShellMessageBoxW 764DDDD1 5 Bytes JMP 6F4E6980 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtCreateFile + 6 778364AE 4 Bytes [28, 70, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtCreateFile + B 778364B3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtMapViewOfSection + 6 77836B0E 4 Bytes [28, 73, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtMapViewOfSection + B 77836B13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenFile + 6 77836BBE 4 Bytes [68, 70, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenFile + B 77836BC3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenProcess + 6 77836C6E 4 Bytes [A8, 71, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenProcess + B 77836C73 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenProcessToken + B 77836C83 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenProcessTokenEx + 6 77836C8E 4 Bytes [A8, 72, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenProcessTokenEx + B 77836C93 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenThread + 6 77836CEE 4 Bytes [68, 71, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenThread + B 77836CF3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenThreadToken + 6 77836CFE 4 Bytes [68, 72, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenThreadToken + B 77836D03 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtOpenThreadTokenEx + B 77836D13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtQueryAttributesFile + 6 77836E1E 4 Bytes [A8, 70, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtQueryAttributesFile + B 77836E23 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtQueryFullAttributesFile + B 77836ED3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtSetInformationFile + 6 7783751E 4 Bytes [28, 71, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtSetInformationFile + B 77837523 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtSetInformationThread + 6 7783757E 4 Bytes [28, 72, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtSetInformationThread + B 77837583 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtUnmapViewOfSection + 6 7783789E 4 Bytes [68, 73, FA, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] ntdll.dll!NtUnmapViewOfSection + B 778378A3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] kernel32.dll!LoadLibraryExW 75B95281 5 Bytes JMP 6F4E6D80 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] USER32.dll!CreateWindowExA 7617BF48 5 Bytes JMP 6F4E07D0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] USER32.dll!CreateWindowExW 7617EC84 5 Bytes JMP 6F4E0830 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] USER32.dll!DrawTextExW 761858A4 5 Bytes JMP 6F4E06C0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] USER32.dll!SetWindowTextW 7618613B 5 Bytes JMP 6F4E0710 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] USER32.dll!SetClipboardData 7619297A 5 Bytes JMP 6F4EAC40 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] USER32.dll!SetWindowTextA 761A0C73 5 Bytes JMP 6F4E0750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] GDI32.dll!BitBlt 779E72C0 5 Bytes JMP 6F4EAB50 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] GDI32.dll!TextOutW 779EFF21 5 Bytes JMP 6F4E6C10 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] WS2_32.dll!recv 76A26826 5 Bytes JMP 6F4ED750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5320] WS2_32.dll!send 76A26C19 5 Bytes JMP 6F4E9E20 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtCreateFile + 6 778364AE 4 Bytes [28, BC, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtCreateFile + B 778364B3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtMapViewOfSection + 6 77836B0E 4 Bytes [28, BF, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtMapViewOfSection + B 77836B13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenFile + 6 77836BBE 4 Bytes [68, BC, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenFile + B 77836BC3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenProcess + 6 77836C6E 4 Bytes [A8, BD, 39, 00] {TEST AL, 0xbd; CMP [EAX], EAX} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenProcess + B 77836C73 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenProcessToken + B 77836C83 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenProcessTokenEx + 6 77836C8E 4 Bytes [A8, BE, 39, 00] {TEST AL, 0xbe; CMP [EAX], EAX} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenProcessTokenEx + B 77836C93 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenThread + 6 77836CEE 4 Bytes [68, BD, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenThread + B 77836CF3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenThreadToken + 6 77836CFE 4 Bytes [68, BE, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenThreadToken + B 77836D03 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtOpenThreadTokenEx + B 77836D13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtQueryAttributesFile + 6 77836E1E 4 Bytes [A8, BC, 39, 00] {TEST AL, 0xbc; CMP [EAX], EAX} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtQueryAttributesFile + B 77836E23 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtQueryFullAttributesFile + B 77836ED3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtSetInformationFile + 6 7783751E 4 Bytes [28, BD, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtSetInformationFile + B 77837523 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtSetInformationThread + 6 7783757E 4 Bytes [28, BE, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtSetInformationThread + B 77837583 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtUnmapViewOfSection + 6 7783789E 4 Bytes [68, BF, 39, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] ntdll.dll!NtUnmapViewOfSection + B 778378A3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] kernel32.dll!LoadLibraryExW 75B95281 5 Bytes JMP 6F4E6D80 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] USER32.dll!CreateWindowExA 7617BF48 5 Bytes JMP 6F4E07D0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] USER32.dll!CreateWindowExW 7617EC84 5 Bytes JMP 6F4E0830 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] USER32.dll!DrawTextExW 761858A4 5 Bytes JMP 6F4E06C0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] USER32.dll!SetWindowTextW 7618613B 5 Bytes JMP 6F4E0710 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] USER32.dll!SetClipboardData 7619297A 5 Bytes JMP 6F4EAC40 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] USER32.dll!SetWindowTextA 761A0C73 5 Bytes JMP 6F4E0750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] GDI32.dll!BitBlt 779E72C0 5 Bytes JMP 6F4EAB50 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] GDI32.dll!TextOutW 779EFF21 5 Bytes JMP 6F4E6C10 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] WS2_32.dll!recv 76A26826 5 Bytes JMP 6F4ED750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5784] WS2_32.dll!send 76A26C19 5 Bytes JMP 6F4E9E20 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtCreateFile + 6 778364AE 4 Bytes [28, EC, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtCreateFile + B 778364B3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtMapViewOfSection + 6 77836B0E 4 Bytes [28, EF, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtMapViewOfSection + B 77836B13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenFile + 6 77836BBE 4 Bytes [68, EC, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenFile + B 77836BC3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenProcess + 6 77836C6E 4 Bytes [A8, ED, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenProcess + B 77836C73 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenProcessToken + B 77836C83 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenProcessTokenEx + 6 77836C8E 4 Bytes [A8, EE, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenProcessTokenEx + B 77836C93 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenThread + 6 77836CEE 4 Bytes [68, ED, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenThread + B 77836CF3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenThreadToken + 6 77836CFE 4 Bytes [68, EE, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenThreadToken + B 77836D03 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtOpenThreadTokenEx + B 77836D13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtQueryAttributesFile + 6 77836E1E 4 Bytes [A8, EC, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtQueryAttributesFile + B 77836E23 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtQueryFullAttributesFile + B 77836ED3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtSetInformationFile + 6 7783751E 4 Bytes [28, ED, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtSetInformationFile + B 77837523 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtSetInformationThread + 6 7783757E 4 Bytes [28, EE, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtSetInformationThread + B 77837583 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtUnmapViewOfSection + 6 7783789E 4 Bytes [68, EF, 6D, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] ntdll.dll!NtUnmapViewOfSection + B 778378A3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] kernel32.dll!LoadLibraryExW 75B95281 5 Bytes JMP 6F4E6D80 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] USER32.dll!CreateWindowExA 7617BF48 5 Bytes JMP 6F4E07D0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] USER32.dll!CreateWindowExW 7617EC84 5 Bytes JMP 6F4E0830 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] USER32.dll!DrawTextExW 761858A4 5 Bytes JMP 6F4E06C0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] USER32.dll!SetWindowTextW 7618613B 5 Bytes JMP 6F4E0710 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] USER32.dll!SetClipboardData 7619297A 5 Bytes JMP 6F4EAC40 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] USER32.dll!SetWindowTextA 761A0C73 5 Bytes JMP 6F4E0750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] GDI32.dll!BitBlt 779E72C0 5 Bytes JMP 6F4EAB50 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] GDI32.dll!TextOutW 779EFF21 5 Bytes JMP 6F4E6C10 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] WS2_32.dll!recv 76A26826 5 Bytes JMP 6F4ED750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5868] WS2_32.dll!send 76A26C19 5 Bytes JMP 6F4E9E20 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtCreateFile + 6 778364AE 4 Bytes [28, 54, 41, 00] {SUB [ECX+EAX*2+0x0], DL} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtCreateFile + B 778364B3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtMapViewOfSection + 6 77836B0E 4 Bytes [28, 57, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtMapViewOfSection + B 77836B13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenFile + 6 77836BBE 4 Bytes [68, 54, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenFile + B 77836BC3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenProcess + 6 77836C6E 4 Bytes [A8, 55, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenProcess + B 77836C73 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenProcessToken + B 77836C83 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenProcessTokenEx + 6 77836C8E 4 Bytes [A8, 56, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenProcessTokenEx + B 77836C93 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenThread + 6 77836CEE 4 Bytes [68, 55, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenThread + B 77836CF3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenThreadToken + 6 77836CFE 4 Bytes [68, 56, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenThreadToken + B 77836D03 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtOpenThreadTokenEx + B 77836D13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtQueryAttributesFile + 6 77836E1E 4 Bytes [A8, 54, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtQueryAttributesFile + B 77836E23 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtQueryFullAttributesFile + B 77836ED3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtSetInformationFile + 6 7783751E 4 Bytes [28, 55, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtSetInformationFile + B 77837523 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtSetInformationThread + 6 7783757E 4 Bytes [28, 56, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtSetInformationThread + B 77837583 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtUnmapViewOfSection + 6 7783789E 4 Bytes [68, 57, 41, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] ntdll.dll!NtUnmapViewOfSection + B 778378A3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] kernel32.dll!LoadLibraryExW 75B95281 5 Bytes JMP 6F4E6D80 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] USER32.dll!CreateWindowExA 7617BF48 5 Bytes JMP 6F4E07D0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] USER32.dll!CreateWindowExW 7617EC84 5 Bytes JMP 6F4E0830 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] USER32.dll!DrawTextExW 761858A4 5 Bytes JMP 6F4E06C0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] USER32.dll!SetWindowTextW 7618613B 5 Bytes JMP 6F4E0710 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] USER32.dll!SetClipboardData 7619297A 5 Bytes JMP 6F4EAC40 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] USER32.dll!SetWindowTextA 761A0C73 5 Bytes JMP 6F4E0750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] GDI32.dll!BitBlt 779E72C0 5 Bytes JMP 6F4EAB50 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] GDI32.dll!TextOutW 779EFF21 5 Bytes JMP 6F4E6C10 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] WS2_32.dll!recv 76A26826 5 Bytes JMP 6F4ED750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5932] WS2_32.dll!send 76A26C19 5 Bytes JMP 6F4E9E20 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtCreateFile + 6 778364AE 4 Bytes [28, 7C, 3B, 00] {SUB [EBX+EDI+0x0], BH} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtCreateFile + B 778364B3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtMapViewOfSection + 6 77836B0E 4 Bytes [28, 7F, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtMapViewOfSection + B 77836B13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenFile + 6 77836BBE 4 Bytes [68, 7C, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenFile + B 77836BC3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenProcess + 6 77836C6E 4 Bytes [A8, 7D, 3B, 00] {TEST AL, 0x7d; CMP EAX, [EAX]} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenProcess + B 77836C73 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenProcessToken + B 77836C83 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenProcessTokenEx + 6 77836C8E 4 Bytes [A8, 7E, 3B, 00] {TEST AL, 0x7e; CMP EAX, [EAX]} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenProcessTokenEx + B 77836C93 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenThread + 6 77836CEE 4 Bytes [68, 7D, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenThread + B 77836CF3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenThreadToken + 6 77836CFE 4 Bytes [68, 7E, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenThreadToken + B 77836D03 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtOpenThreadTokenEx + B 77836D13 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtQueryAttributesFile + 6 77836E1E 4 Bytes [A8, 7C, 3B, 00] {TEST AL, 0x7c; CMP EAX, [EAX]} .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtQueryAttributesFile + B 77836E23 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtQueryFullAttributesFile + B 77836ED3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtSetInformationFile + 6 7783751E 4 Bytes [28, 7D, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtSetInformationFile + B 77837523 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtSetInformationThread + 6 7783757E 4 Bytes [28, 7E, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtSetInformationThread + B 77837583 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtUnmapViewOfSection + 6 7783789E 4 Bytes [68, 7F, 3B, 00] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] ntdll.dll!NtUnmapViewOfSection + B 778378A3 1 Byte [E2] .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] kernel32.dll!LoadLibraryExW 75B95281 5 Bytes JMP 6F4E6D80 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] USER32.dll!CreateWindowExA 7617BF48 5 Bytes JMP 6F4E07D0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] USER32.dll!CreateWindowExW 7617EC84 5 Bytes JMP 6F4E0830 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] USER32.dll!DrawTextExW 761858A4 5 Bytes JMP 6F4E06C0 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] USER32.dll!SetWindowTextW 7618613B 5 Bytes JMP 6F4E0710 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] USER32.dll!SetClipboardData 7619297A 5 Bytes JMP 6F4EAC40 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] USER32.dll!SetWindowTextA 761A0C73 5 Bytes JMP 6F4E0750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] GDI32.dll!BitBlt 779E72C0 5 Bytes JMP 6F4EAB50 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] GDI32.dll!TextOutW 779EFF21 5 Bytes JMP 6F4E6C10 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] WS2_32.dll!recv 76A26826 5 Bytes JMP 6F4ED750 C:\Windows\system32\WRusr.dll .text C:\Program Files\Opera\39.0.2256.48\opera.exe[5952] WS2_32.dll!send 76A26C19 5 Bytes JMP 6F4E9E20 C:\Windows\system32\WRusr.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 WRkrn.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 WRkrn.sys AttachedDevice \Driver\tdx \Device\Tcp WRkrn.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 hotcore3.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 hotcore3.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 hotcore3.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 hotcore3.sys AttachedDevice \Driver\tdx \Device\Udp WRkrn.sys AttachedDevice \Driver\tdx \Device\RawIp WRkrn.sys Device fastfat.SYS AttachedDevice fltmgr.sys ---- Threads - GMER 2.2 ---- Thread SYSTEM [4:4556] B12FFF2E ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d697261 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d697261@0023d763a703 0xD7 0x7C 0xBC 0x6A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d697261 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d697261@0023d763a703 0xD7 0x7C 0xBC 0x6A ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG17.00.00.01PROFESSIONAL A25EA9AE0551424FA69BAAC3315DEAF6A3A1882F68B05238AA9AA03C1C7FC104FEF2A194AA8A6D555E6FB63890FE53A11E5A0FEE736CDE631E402A60EDC163AD7A33782FBDE762D522AD4CA72E5D2727ABF81CFD6768AE2A86A50F9CF7625D7C7719E18542FD0AB561AA15BB2BB2D45E65C6EB46A3ABD4F4CD2F42BCF54C870A4BC3A465F140205E7FDCCAE25D1E9EA0DDB5CF78B81D38AFD067FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A6A0AC4980AC79338EDD5E5BE2F6E6675D575E7D6A3B9808789612812079A23EBCDADE76C2ECAF9825DEB0196BA816D5DE92DF7F902CC5EB45287ED2F948C15D20D9A705AE6AD331B833090E28EB84FEB6F0CFC260FE670AD2EF573525A43A67542AB3A746AC5140E4C77E918855D194313C022D6FEA3D9A55F2AA9D5A01D42621124C1FE7B9BC272845B64E2E1A802FA01C1AF24772581094FC39E828534D84E31E719045169F6A92178FD013F1068C6A00F029C420B902EB1B78D5EE9753128B1CD503E7507632C96E978A821A4D8F099592CA9902D92CC8A09189664C0B031D20DDE327F6324C863E13D01BD234BD8CD4C036492A22EAB0A1E30917738DB031812602341E37A91740785DD2E10D401476EEAD2C2DF2C3B9F97FC1DE146514F3DA7D14915C605EDB6E734D6F8 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG18.00.00.01PROFESSIONAL 7CCBE7F00915F02330070B1F0B686494B04D79AB8049421F314B7D5CB47EC8CE32816B1E0E45E27F556D355F82029504EC41C278D67B4DD1EBA79F27ADAD6DC91798F69AEA22B40811C7600C60E672C435117C6AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A6171C11EC38DE3D8EDD5E5BE2F6E667A9C6AECB7A5D1407618BD9A681AABC6A3CEB9B8EBC2FE7A3D1C1605093F1048F79E8E8B02260E1F3D2369B5370090548F7E338A6408DBEE1F794D9CCBB2B232BADDF4EA4EC523D73DBEEB95B85CA1DC6A0AD8B0E776B38D4340AC1785CE1947378BCFCC0B007BF21DD2F6741DAC4A4268E64686E02901FB8F17C27C9B8EDEEBCFBBCE0E27607720CCFB30E6ADBD1AECFACE554D8CF48B3ECB10B4D16E6AB4201EC5F994A18604DE3BB7E48224ACEC2CC7A5387BEA9DDA8F6881BA99C52F88E5B946A7B9D47A13F00BE53E8183A9D5ACD8A94F079A628287C9DD067FC39BA470F4FE30DE585E12BDA8C3DF3DB15A3672585D231C3B57BCD4BAD9964BAAE58577F8F988A11ADB665906B88A1E4964B4AC7A57B1F3D98B3A75189A2343E193D9AB4DB1A6271E840B8E43545DD0F5002DAD33A41436865ADBBA415E09DD43459E35DC93BB8B9391DE3BC574A491727B86486A61B5AAD85CD827AC70B192F0D20764A0A14660 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG19.00.00.01PROFESSIONAL 1467987B434DA1D7411E3D85AF9FDDB129C600718604B92C70099DEB33FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CC038D530D6EB3452A2D97226D213B5559DB7CE019D40AA5C9DB7CE019D40AA5C0A4F3F5B8BD7D8F1AA9A4B11DDF386AC3A7BF42A6E70D1A65828EB916F4A7F5EA55CA583FCDB8EA990F7712A299F67C1B1F1311B22500A9C3298101366CAD99D4D9F548F05CBF0105303BEB4EEF2087146B7777BDAA06E9107AB8CBD3B9A0D008F12000439860043388B68304D333AE718929EEAE0ABC0DE6F3AF86EFC29EAAA1B41201993423FD4297367D1C77853C3EBD73FB8DD10C74FA531313322B8CCB447CEF039EF0438CB3431F801C5AFAC18A5F239EAE23F4F248A0FD4CC02E00EAC0AEF730591A8F8220DCD1EDB8E9A246C52642D3CE2FD230F22EAC534D70B0D9483ED6B4F9CE00FC406E91DB152CC9BBB203D829833E7993A946AAB1246772E5EF225609E9A2F12179C357D872330F7F361A6E12292E807412DCBF1C6503959F53C871FAF7A6B186E6BF78C96788024F80EDC3B2E1EC3C6335CDD4763DEB4F9B66A9A37F10BC2C094378B5DCA2BCF8D22C0AC40475A8D379535059EAEBD277F73A9F7FD0903B2AAC8635D42C4F901253A3879E5A92EB1BBDF70BB30A31D9EDD6F4A4C89CBFC11F9BB7CF15757884EE08057BCE Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x28 0x35 0x1A 0xDC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\System32\sdiagnhost.exe 0x70 0xCB 0x13 0x80 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x6C 0x23 0xDA 0x85 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Canon\CameraWindow\CameraWindowDC8\CameraWindowDC8.exe 0xA5 0xC5 0xE4 0x07 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0x62 0x9E 0xAF 0x0A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\WindowsMobile\wmdc.exe 0xE8 0x50 0xA1 0x82 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\WindowsMobile\WmdHost.exe 0xA1 0x3A 0x84 0x34 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\System32\wbem\WmiPrvSE.exe 0x31 0xED 0x37 0xF6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\System32\mmc.exe 0x2B 0xF9 0xAA 0x29 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0xA3 0x48 0x89 0x30 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\System32\migwiz\migwiz.exe 0x1B 0xCD 0xB9 0x4D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume5\TEMP\is-OLGRG.tmp\MRP22UpgradeTool.exe 0x7E 0x7B 0x60 0x34 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Nemex\Mouse Recorder Pro 2\Mouse Recorder Pro.exe 0x03 0xA9 0x63 0x9F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Nemex\Mouse Recorder Pro 2\Mouse Recorder Pro Calendar.exe 0xD3 0xC6 0xB5 0x25 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Nemex\Mouse Recorder Pro 2\Mouse Recorder Pro Editor.exe 0x72 0xD7 0x5B 0x1C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Nemex\Mouse Recorder Pro 2\MRPlay.exe 0x03 0x0C 0x7E 0x35 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows.old\Program Files\IIS\Microsoft Web Deploy\msdeploy.exe 0x23 0x50 0xE1 0xBD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Opera\38.0.2220.29\opera.exe 0x9A 0x7A 0x23 0x48 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\explorer.exe 0x64 0x52 0xB0 0x04 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\The Bat!\thebat.exe 0xCA 0xE5 0x1B 0xC9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\hh.exe 0xB4 0x36 0x45 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Temp\RunBoot-Temp_.3b6f318e-e3e8-4472-986c-3134810d6fdd\MatsBoot.exe 0x12 0xF8 0xCA 0x53 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Temp\RunBoot-Temp_.f31d1419-ceb6-4988-b29a-1c573994b900\MatsBoot.exe 0xEF 0x52 0x59 0x31 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Temp\RunBoot-Temp_.7ba9c307-1eff-414d-9ecd-b9f8b0070708\MatsBoot.exe 0xD6 0xA9 0x0E 0xB3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Windows\Temp\RunBoot-Temp_.51e61db7-2081-4cd8-a4da-7c7fe3014e44\MatsBoot.exe 0xE7 0x00 0xF1 0x8F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe 0xB6 0x34 0xEC 0x05 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\hh.exe 0xC1 0x33 0x2E 0x49 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x36 0xDA 0xA2 0x1D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x16 0xB8 0xE5 0x76 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xD4 0x69 0x50 0x70 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\The Bat!\thebat.exe 0xD2 0x0C 0xBB 0x1E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\WindowsMobile\wmdc.exe 0xA7 0xB5 0x36 0x8B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x49 0x59 0x21 0xDC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Program Files\KeePass Password Safe 2\KeePass.exe 0x03 0x69 0x96 0xC0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\System32\rundll32.exe 0x4C 0x80 0xA9 0x9F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Program Files\Ashampoo\Ashampoo Burning Studio 12\BurningStudioCompact.exe 0xAC 0x5E 0xBC 0xC8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xB7 0x75 0x62 0xDC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Program Files\WinPDFEditor\WinPDFEditor.exe 0x3C 0x87 0x50 0xA1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\explorer.exe 0xDF 0x0F 0x49 0x25 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\System32\msiexec.exe 0xF1 0x33 0x9D 0xB9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\System32\CompatTelRunner.exe 0xD8 0x30 0x66 0xF0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\System32\wbem\WmiPrvSE.exe 0xA9 0xDA 0x96 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\USB30\RENESAS-USB3-Host-Driver-30120-Setup-x86-x64-Binary\setup.exe 0x1A 0xE6 0x77 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\TEMP\{64C32830-55B5-4868-9727-9ED5DEC414F3}\setup.exe 0x72 0x1E 0xAC 0x8B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\USB30\NEC-3_0\NEC_USB3.0_drv2.0.32.0\EXE\RENESAS-USB3-Host-Driver-20320-setup.exe 0x03 0x13 0x8A 0xC1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\TEMP\{11CDC283-DD0C-49D7-B238-2D55FC3B68EB}\setup.exe 0x93 0x2C 0xCF 0xC2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\USB30\NowszyzCD\RENESAS-USB3-Host-Driver-30120-setup.exe 0x13 0xB8 0x3B 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\USB30\NowszyzCD\EXE\RENESAS-USB3-Host-Driver-30120-setup.exe 0xEE 0x50 0x51 0x71 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\USB30\tylko ZIPNowszy\RENESAS-USB3-Host-Driver-30120-Setup-x86-x64-Binary\setup.exe 0x80 0xC0 0x27 0x90 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\TEMP\{8A5BF29E-76BD-49AC-AD20-631AD2A3FEAA}\setup.exe 0xD6 0x41 0x1E 0x8E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\USB30\NEC-3_0\Rozpak_ZIP\RENESAS-USB3-Host-Driver-20320-Setup-x86-x64-Binary\setup.exe 0x9E 0xE4 0xD8 0xE9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\TEMP\{49BCB8D8-9975-42E3-8D6B-BC3C3DE83BAE}\setup.exe 0xB5 0x31 0xBE 0x37 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume4\EXEBuild\USB3.0 Driver\setup.exe 0x5D 0xF7 0xEC 0xB1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\TEMP\{B84C4623-C6B5-4E0F-89C4-8E586A9C7FA8}\Setup.exe 0x45 0x4F 0x43 0x17 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume5\Temp\is-U9HU9.tmp\smartyuninstaller4.4.2.100sharewareonsale.tmp 0xA2 0xA7 0x55 0xEE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe 0x78 0x9F 0xC9 0x42 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Windows\System32\WerFault.exe 0x58 0xF4 0xD4 0x6A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\KeePass Password Safe 2\KeePass.exe 0x50 0x54 0x8D 0xB6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xD1 0x17 0x1F 0x9F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe 0x86 0xED 0x47 0x10 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Ashampoo\Ashampoo Burning Studio 12\BurningStudioCompact.exe 0x3B 0x78 0xF8 0x2D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@CDE3842E 2885 ---- EOF - GMER 2.2 ----