GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-30 20:12:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000035 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: gmer.exe; Driver: C:\Users\RAFA~1\AppData\Local\Temp\fwpcraow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, 66, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, 66, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, 66, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Dashlane\Upgrade\DashlaneUpgradeService.exe[5092] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5092] entry point in ".rdata" section 000000006b6d8fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5092] entry point in ".rdata" section 00000000641ea020 ? C:\WINDOWS\system32\ncryptsslp.dll [5092] entry point in ".rdata" section 00000000641c04f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, D9, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, D9, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, D9, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5336] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, 87, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, 87, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, 87, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5800] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, FD, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, FD, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, FD, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\openvpn.exe[6244] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, 9C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, 9C, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, 9C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[6428] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, 5F, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, 5F, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, 5F, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[6804] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, 7A, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, 7A, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, 7A, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[7596] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [7596] entry point in ".rdata" section 000000006287f7c0 .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff83022132f 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff830221421 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8302216b0 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff830221894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff83022230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8302c6260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8302c6560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8302c65c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8302c6800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8302c6960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8302c7770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8302c7d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8302c8fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006da11462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006da116b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006da117eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006da1181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rafa許Desktop\proramy\gmer\gmer.exe[6032] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006da11857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6032] entry point in ".rdata" section 000000006287f7c0 ---- Devices - GMER 2.2 ---- Device \Driver\klupd_klif_klark \Device\klark_030601_KLIF fffff80f2e389ed8 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [868:928] ffffaede6cf36c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x64 0xA0 0xD8 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x5E 0xBF 0xB1 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x78 0x8C 0xE4 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xD9 0xAA 0xBD 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 226 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD05060_00_07DF_D7^CAC392418F8F0AA3BFC471691D48C140@Timestamp 0x84 0x6B 0xBC 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 84 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 138596366 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7b850bca-35f8-42b8-8121-55f0b23 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{b38e6943-79a3-484e-89a8-d1ef9dbebc27} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\94e97964d80c Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@DisplayName CDPUserSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{1fc1b615-d5df-4874-a787-72b6e4bc2da6}@LastProbeTime 1493571248 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@DisplayName Us?uga wiadomo?ci_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@DisplayName Synchronizuj hosta_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@DisplayName Dane kontaktowe_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8119 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1953 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 226 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 192.168.0.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fb6f5f4-ba2a-4d4c-ac23-062379c2d240}@LeaseObtainedTime 1493571306 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fb6f5f4-ba2a-4d4c-ac23-062379c2d240}@T1 1493574906 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fb6f5f4-ba2a-4d4c-ac23-062379c2d240}@T2 1493577606 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fb6f5f4-ba2a-4d4c-ac23-062379c2d240}@LeaseTerminatesTime 1493578506 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b1d221e-d966-4573-9351-1fd4e9249c73}@DhcpIPAddress 10.104.245.58 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b1d221e-d966-4573-9351-1fd4e9249c73}@DhcpServer 10.104.245.57 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b1d221e-d966-4573-9351-1fd4e9249c73}@LeaseObtainedTime 1493559976 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b1d221e-d966-4573-9351-1fd4e9249c73}@T1 1509327976 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b1d221e-d966-4573-9351-1fd4e9249c73}@T2 1521153976 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b1d221e-d966-4573-9351-1fd4e9249c73}@LeaseTerminatesTime 1525095976 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@DisplayName Magazyn danych u?ytkownika_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@DisplayName Dost?p do danych u?ytkownika_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xFE 0x2F 0x7C 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xFE 0x97 0x40 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xFE 0xC7 0xB7 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@DisplayName Us?uga u?ytkownika powiadomie? WNS_39dc8 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_39dc8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}\iexplore@Count 64 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0x35 0x81 0x18 0x92 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----