GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-19 17:03:15 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC40J 298,09GB Running: pu5cp1gl.exe; Driver: C:\Users\Wiesiek\AppData\Local\Temp\pxldapow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8E0EB610] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8E0EB670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8E0EB650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8E0EB630] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 81C40F05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C7B292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 81C827C8 4 Bytes [10, B6, 0E, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 81C828D8 4 Bytes [70, B6, 0E, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 81C82BE4 4 Bytes [50, B6, 0E, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 81C82C2C 4 Bytes JMP 907E5CB2 ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[736] kernel32.dll!SetUnhandledExceptionFilter 7794F6AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\Explorer.EXE[1756] SHELL32.dll!SHFileOperationW 76359670 5 Bytes JMP 10001102 D:\Unlocker 1.9.2\UnlockerHook.dll ---- Devices - GMER 2.2 ---- Device \Driver\BTHUSB \Device\0000008f bthport.sys Device \Driver\BTHUSB \Device\0000008d bthport.sys ---- Threads - GMER 2.2 ---- Thread System [4:260] 856C6560 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e8319b9 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e8319b9 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x03 0x46 0x9D 0x4B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\temp\{9C1E9569-D7E9-445C-9919-162552A36F18}\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Is2008Unit.exe 0xB4 0x09 0xCD 0xEA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Wiesiek\AppData\Local\Temp\{DAD85EFE-2E46-4F13-B66E-6381D353A52D}\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Is2008Unit.exe 0x87 0xEA 0x8A 0xEC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xA3 0xF6 0xEC 0x96 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x7D 0x3D 0x45 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Wiesiek\AppData\Local\Temp\is-SA0QR.tmp\DirectX\DXSETUP.exe 0xFE 0xB0 0x5C 0x82 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehshell.exe 0xB8 0x81 0x23 0x58 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehrec.exe 0xCF 0x5A 0xA5 0xD0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 0x56 0x5B 0xCF 0x4F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Wiesiek\AppData\Local\Temp\HPSALight\Setup.exe 0x99 0xE9 0x5A 0xA1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe 0x3F 0xB0 0xF0 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Super Memo UX Czeoa I\supermemo.exe 0xFB 0xFF 0xBB 0x6C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x39 0xA5 0xEC 0x93 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\TrojanKiller 2.2.0.6\trojankiller.exe 0xC8 0xB3 0xFA 0xD6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Installer\MSI1864.tmp 0x3D 0x09 0xE5 0x26 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Installer\MSI34CA.tmp 0x87 0x75 0x54 0x2B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Kepard\Kepard.exe 0x8A 0xB5 0x81 0x75 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Kepard\Updater.exe 0xEE 0xDA 0x1F 0x74 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\explorer.exe 0x38 0x33 0x53 0x48 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0x7C 0x95 0xC5 0x50 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\RegisterMCEApp.exe 0xEA 0xFE 0x97 0x4A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe 0xFA 0x85 0xDC 0x8D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x77 0x43 0xC9 0xBE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xFA 0xDA 0x40 0x74 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x9D 0x14 0x0E 0x0B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\ehome\ehshell.exe 0xCE 0xF9 0x9D 0x4B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\ehome\ehrec.exe 0x2C 0x7D 0xD5 0x93 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Installer\MSIB80B.tmp-\DXSETUP.exe 0x7A 0xD5 0xF8 0x2F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater\HPSSFUpdater.exe 0x24 0xB4 0x4A 0xD6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe 0x7B 0x35 0x91 0xA4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_PendingActions.exe 0x37 0xDF 0x26 0x24 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xB0 0xBC 0x27 0x4A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x7B 0x33 0xD6 0xDA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xF7 0x33 0xF8 0x50 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTelRunner.exe 0xD8 0x72 0x25 0xC6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Wiesiek\AppData\Local\Temp\7ZipSfx.000\HPSupportSolutionsFramework.exe 0xD5 0x46 0x59 0x2A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0xE7 0x2B 0x1C 0xD4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ACLMInstaller.exe 0x2E 0xB9 0x99 0x6B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\AclmControl.exe 0x4A 0x5F 0x97 0x6D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0x45 0x28 0x18 0x6E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe 0x9C 0x22 0x78 0x1A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\unzip.exe 0xC7 0x14 0x3E 0x54 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe 0x98 0x0E 0x30 0x15 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Wiesiek\AppData\Local\Temp\HPSALight\msiinstaller.exe 0x24 0x96 0x2B 0xAB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\Resources\ProductConfig.exe 0x2E 0x8A 0x4F 0x1D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Installer\MSIDF60.tmp 0x9A 0x27 0x48 0xE6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPHelpUpdater.exe 0x3E 0x71 0x69 0xEA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe 0x09 0x2D 0x32 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\HPSF_Utils.exe 0x36 0x04 0xFF 0x01 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\Warranty\HPWSD.exe 0x57 0x2B 0xBC 0x85 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 0xCE 0xF1 0xAC 0x40 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater\HPSSFUpdater.exe 0x6C 0x2C 0x65 0x9F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_SystemRestoreCheck_V2.exe 0x96 0x00 0x27 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_CyberSecurity_v2.exe 0xD4 0x5C 0x33 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\WarrantyObjectChecker.exe 0x22 0x25 0x3B 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_BackupYourImportantData_v2.exe 0x66 0x7C 0x40 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\HPSAObjUtil8.exe 0x9F 0xF4 0x20 0x47 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_EOSStatus.exe 0x02 0x92 0x3F 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_InWarrantyCarePack.exe 0x60 0x81 0x47 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_GuestAccount_V2.exe 0x12 0x25 0x6A 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_InternetSecurity_Ex.exe 0x18 0xEA 0x4D 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_RecoveryDiscReminder_V2.exe 0x03 0xB9 0x6E 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_AntiVirusDefenderA.exe 0x5C 0x41 0x53 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_AntiVirusNoAV_A.exe 0x6F 0x14 0x72 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_AntiVirusDefenderB.exe 0x4B 0x1A 0x53 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_AntiVirusNoAV_B.exe 0x6B 0xAD 0x4E 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_BeforeUpgradingToWindows10.exe 0x96 0xF0 0xC4 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_WelcomeHPSAv8.exe 0x9E 0x3A 0x98 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_BeforeUpgradingToWindows10Business.exe 0xE8 0x8C 0x96 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_AfterUpgradingToWindows10.exe 0x3B 0x50 0x97 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_Windows10UpgradeAdvisory.exe 0xAA 0xEA 0x12 0x47 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_PIPMessage.exe 0x35 0x1E 0x0D 0x47 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Solutions\Modules\ActiveCheck\product_line\Detect_PostWarrantyCarePack.exe 0x02 0x25 0x99 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe 0x44 0x3E 0x6A 0x95 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe 0xD7 0xFB 0x1C 0xEA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe 0x37 0x6D 0x49 0x86 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\Executable Agent Data\Battery\BatteryTest.exe 0x58 0xCE 0x69 0x59 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Hewlett-Packard\HP Support Framework\HPSF_Tasks.exe 0x09 0xE2 0xA7 0xA0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\svchost.exe 0x82 0x1B 0x50 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\TrojanKiller 2.2.0.6\trojankiller.exe 0xC7 0x2E 0xA8 0xF4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\ccSvcHst.exe 0x2D 0x7F 0x7C 0x7D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\CyberGhost\CyberGhost.exe 0x62 0x60 0xE8 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\CyberGhost\CyberGhost.Service.exe 0x21 0xA4 0xF3 0x99 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\CyberGhost\wyUpdate.exe 0xB7 0x8E 0x40 0xA7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\CyberGhost\BugReporterV2.exe 0x0D 0x51 0xE8 0x01 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\WerFault.exe 0xB9 0x2F 0xCE 0x2C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe 0x4D 0x69 0x16 0x20 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Hewlett-Packard\HP Support Framework\HPSF_Tasks.exe 0x2E 0xE0 0x61 0x22 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe 0x72 0x66 0x1B 0x2E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\svchost.exe 0x5B 0xCB 0x9F 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x2A 0x9B 0x2B 0x76 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\msiexec.exe 0x0B 0x94 0x3C 0x15 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x37 0x92 0xD2 0x0A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe 0xEF 0xA6 0xE7 0x89 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0x27 0x04 0x59 0x23 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Wiesiek\AppData\Local\Temp\7ZipSfx.000\HPSupportSolutionsFramework.exe 0x57 0x80 0xDB 0x3B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@OverflowQuota 0x10 0x0A 0x49 0xDB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@3F666857 983 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{C1C4C025-BFA2-11E5-927A-806E6F6E6963} 9485970888 ---- EOF - GMER 2.2 ----