GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-19 17:43:11 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003a ST1000DM003-1SB10C rev.CC43 931,51GB Running: gmer.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\pgriqpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007fff484c4ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007fff484c4fcc 8 bytes [50, 6E, E3, 7F, 00, 00, 00, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007fff484c52a6 8 bytes [40, 6E, E3, 7F, 00, 00, 00, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007fff484c549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007fff484c583f 8 bytes [20, 6E, E3, 7F, 00, 00, 00, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007fff484c5895 8 bytes [10, 6E, E3, 7F, 00, 00, 00, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007fff484c5a44 8 bytes [00, 6E, E3, 7F, 00, 00, 00, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007fff484c5fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff48540780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007fff48540900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff48540930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fff48540a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fff48540b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fff485411c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007fff485414c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007fff48541d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077bc13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077bc1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077bc1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077bc1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077bc16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077bc16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\spdsvc.exe[3516] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077bc1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007fff484c4ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007fff484c4fcc 8 bytes [50, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007fff484c52a6 8 bytes [40, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007fff484c549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007fff484c583f 8 bytes [20, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007fff484c5895 8 bytes [10, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007fff484c5a44 8 bytes [00, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007fff484c5fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff48540780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007fff48540900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff48540930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fff48540a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fff48540b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fff485411c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007fff485414c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007fff48541d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077bc13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077bc1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077bc1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077bc1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077bc16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077bc16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[3640] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077bc1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007fff484c4ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007fff484c4fcc 8 bytes [50, 6E, B1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007fff484c52a6 8 bytes [40, 6E, B1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007fff484c549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007fff484c583f 8 bytes [20, 6E, B1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007fff484c5895 8 bytes [10, 6E, B1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007fff484c5a44 8 bytes [00, 6E, B1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007fff484c5fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff48540780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007fff48540900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff48540930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fff48540a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fff48540b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fff485411c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007fff485414c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007fff48541d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077bc13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077bc1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077bc1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077bc1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077bc16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077bc16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2576] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077bc1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007fff484c4ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007fff484c4fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007fff484c52a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007fff484c549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007fff484c583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007fff484c5895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007fff484c5a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007fff484c5fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff48540780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007fff48540900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff48540930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fff48540a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fff48540b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fff485411c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007fff485414c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007fff48541d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077bc13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077bc1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077bc1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077bc1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077bc16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077bc16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\AOL\AOL Shield\ep.exe[3900] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077bc1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007fff484c4ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007fff484c4fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007fff484c52a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007fff484c549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007fff484c583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007fff484c5895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007fff484c5a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007fff484c5fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff48540780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007fff48540900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff48540930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007fff48540a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007fff48540b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007fff485411c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007fff485414c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007fff48541d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077bc13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077bc1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077bc1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077bc1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077bc16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077bc16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kuba\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[6788] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077bc1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [7fff48660000] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\SYSTEM32\KERNEL32.DLL[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\SYSTEM32\KERNELBASE.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7fff48660000] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\SYSTEM32\combase.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\SYSTEM32\kernel.appcore.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\bcryptPrimitives.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\SYSTEM32\user32.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\system32\bcrypt.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7fff48660000] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7fff48660000] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\System32\ADVAPI32.dll[ntdll.dll!NtClose] [7fff48660010] IAT C:\Windows\system32\AUDIODG.EXE[6212] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [7fff48660010] IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\KERNEL32.DLL[ntdll.dll!NtSetValueKey] [7fff441ad930] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\KERNEL32.DLL[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\KERNEL32.DLL[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtSetValueKey] [7fff441ad930] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[USER32.dll!SetWindowsHookExW] [7fff441e0a90] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[USER32.dll!CallNextHookEx] [7fff441993d0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\WININET.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\WININET.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\IPHLPAPI.DLL[ntdll.dll!ZwCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\IPHLPAPI.DLL[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\UxTheme.dll[USER32.dll!CallNextHookEx] [7fff441993d0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [7fff441e0a90] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\USER32.dll[ntdll.dll!NtSetValueKey] [7fff441ad930] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!SetWindowsHookExW] [7fff441e0a90] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!CallNextHookEx] [7fff441993d0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetValueKey] [7fff441ad930] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallNextHookEx] [7fff441993d0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [7fff441e0a90] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\ole32.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\ole32.dll[USER32.dll!CallNextHookEx] [7fff441993d0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [7fff441e0a90] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\iertutil.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\cfgmgr32.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\SHCORE.DLL[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\ntmarta.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\dhcpcsvc.DLL[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\SYSTEM32\DNSAPI.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\System32\rasadhlp.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtSetValueKey] [7fff441ad930] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtSetInformationFile] [7fff441994c0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtCreateFile] [7fff4419cd10] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\System32\ieframe.dll[USER32.dll!CallNextHookEx] [7fff441993d0] C:\Windows\system32\apphelp.dll IAT D:\FRST\FRST64.exe[3004] @ C:\Windows\System32\ieframe.dll[USER32.dll!SetWindowsHookExW] [7fff441e0a90] C:\Windows\system32\apphelp.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [5060:2724] fffff9600089a2d0 Thread C:\Windows\Explorer.EXE [2560:2584] 00007fff2bb2e630 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1910703430 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 599 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041020170417 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041020170417@CachePrefix :2017041020170417: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041020170417@CachePath %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017041020170417 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041020170417@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041020170417@CacheRepair 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041020170417@CacheLimit 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041720170424 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041720170424@CachePrefix :2017041720170424: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041720170424@CachePath %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017041720170424 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041720170424@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041720170424@CacheRepair 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017041720170424@CacheLimit 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050420170505 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050420170505@CachePrefix :2017050420170505: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050420170505@CachePath %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017050420170505 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050420170505@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050420170505@CacheRepair 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050420170505@CacheLimit 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050520170506 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050520170506@CachePrefix :2017050520170506: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050520170506@CachePath %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017050520170506 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050520170506@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050520170506@CacheRepair 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017050520170506@CacheLimit 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LAV Filters\LAV Audio Configuration.lnk?C:\Windows\system32\rundll32.exe?LAVAudio.ax,OpenConfiguration? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LAV Filters\LAV Splitter Configuration.lnk?C:\Windows\system32\rundll32.exe?LAVSplitter.ax,OpenConfiguration? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@2 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LAV Filters\LAV Video Configuration.lnk?C:\Windows\system32\rundll32.exe?LAVVideo.ax,OpenConfiguration? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@5 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video to Video\Video to Video.lnk?C:\Program Files (x86)\Video to Video\vv.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@6 C:\Users\Kuba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FormatFactory\FormatFactory.lnk?C:\Program Files (x86)\FormatFactory\FormatFactory.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@7 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk?C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe?? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----