GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-28 21:11:34 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDT725032VLA360 rev.V54OA7EA Running: 9som9xuj.exe; Driver: C:\Users\Tomi\AppData\Local\Temp\fxliipod.sys ---- System - GMER 1.0.15 ---- SSDT 90D808AE ZwCreateSection SSDT 90D808B8 ZwRequestWaitReplyPort SSDT 90D808B3 ZwSetContextThread SSDT 90D808BD ZwSetSecurityObject SSDT 90D808C2 ZwSystemDebugControl SSDT 90D8084F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A62579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A86F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 340 82A8E840 4 Bytes [AE, 08, D8, 90] {SCASB ; OR AL, BL; NOP } .text ntkrnlpa.exe!RtlSidHashLookup + 69C 82A8EB9C 4 Bytes [B8, 08, D8, 90] .text ntkrnlpa.exe!RtlSidHashLookup + 6E0 82A8EBE0 4 Bytes [B3, 08, D8, 90] .text ntkrnlpa.exe!RtlSidHashLookup + 75C 82A8EC5C 4 Bytes [BD, 08, D8, 90] .text ntkrnlpa.exe!RtlSidHashLookup + 7B0 82A8ECB0 4 Bytes [C2, 08, D8, 90] {RET 0xd808; NOP } .text ... ? System32\Drivers\spce.sys System nie może odnaleźć określonej ścieżki. ! PAGE ataport.SYS!DllUnload + 1 8BC8CAD7 4 Bytes JMP 8553E1D9 .text afd.sys!H_R_LHVagSLAUCl_aJN 9142E000 98 Bytes [90, 90, 90, 90, 90, FF, 15, ...] .text afd.sys!H_R_LHVagSLAUCl_aJN + 64 9142E064 126 Bytes [3B, 70, 04, 0F, 84, A2, 01, ...] .text afd.sys!H_R_LHVagSLAUCl_aJN + E4 9142E0E4 553 Bytes [8B, D0, 66, 23, CA, 66, 3B, ...] .text afd.sys!l_kE_VTTmwah_gle___nwv__ + E6 9142E30E 17 Bytes [90, 90, 68, C6, AF, 43, 91, ...] .text afd.sys!l_kE_VTTmwah_gle___nwv__ + F8 9142E320 236 Bytes [89, 6C, 24, 10, 8D, 6C, 24, ...] .text afd.sys!l_kE_VTTmwah_gle___nwv__ + 1E6 9142E40E 1 Byte [00] .text afd.sys!l_kE_VTTmwah_gle___nwv__ + 1E6 9142E40E 90 Bytes [00, 00, A1, D8, E1, 43, 91, ...] .text afd.sys!ONV_QFILZV_e_u_cmazsknP__H_WN__ + 39 9142E469 20 Bytes CALL 914365A6 \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) .text afd.sys!ONV_QFILZV_e_u_cmazsknP__H_WN__ + 4E 9142E47E 11 Bytes [5B, C3, 8B, 4C, 24, 04, F7, ...] .text afd.sys!ONV_QFILZV_e_u_cmazsknP__H_WN__ + 5B 9142E48B 415 Bytes [B8, 01, 00, 00, 00, 74, 33, ...] .text afd.sys!ONV_QFILZV_e_u_cmazsknP__H_WN__ + 1FB 9142E62B 119 Bytes [76, 1C, FF, 56, 28, 5E, 5D, ...] .text afd.sys!IKF_DNDZCN__MY_BO_D_vx + 5B 9142E6A3 232 Bytes [00, 57, 8B, 0A, 85, C9, 7E, ...] .text afd.sys!IKF_DNDZCN__MY_BO_D_vx + 144 9142E78C 32 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] .text afd.sys!IKF_DNDZCN__MY_BO_D_vx + 165 9142E7AD 200 Bytes [90, 90, 90, 90, 90, FF, 25, ...] .text afd.sys!Z_Z_TRAFLUdtq___opekevDBAPLCJuch_g_Ie_u_KQb__wz_ytmP_W_T + 19 9142E876 86 Bytes [FF, 55, 8B, EC, 8B, 45, 0C, ...] .text afd.sys!Z_Z_TRAFLUdtq___opekevDBAPLCJuch_g_Ie_u_KQb__wz_ytmP_W_T + 70 9142E8CD 237 Bytes [18, C7, 41, 18, 10, 00, 00, ...] .text afd.sys!Z_Z_TRAFLUdtq___opekevDBAPLCJuch_g_Ie_u_KQb__wz_ytmP_W_T + 15F 9142E9BC 276 Bytes CALL 914302D4 \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) .text afd.sys!YOdkvbcjvk__lsRRC__ZK_H + 3E 9142EAD1 20 Bytes [95, 18, FF, FF, FF, 89, B5, ...] .text afd.sys!YOdkvbcjvk__lsRRC__ZK_H + 53 9142EAE6 137 Bytes [FF, FF, 89, 95, 28, FF, FF, ...] .text afd.sys!YOdkvbcjvk__lsRRC__ZK_H + DE 9142EB71 123 Bytes [83, F8, 02, 75, 3B, 33, C0, ...] .text afd.sys!YOdkvbcjvk__lsRRC__ZK_H + 15B 9142EBEE 65 Bytes [A5, C7, 85, 48, FF, FF, FF, ...] .text afd.sys!YOdkvbcjvk__lsRRC__ZK_H + 19D 9142EC30 22 Bytes [FF, 6A, 08, EB, 11, BE, F8, ...] .text ... .text afd.sys!dlNQSajug___bhdPDrg_exc_N + E8 9142ED93 55 Bytes [65, DC, 00, 8B, 4D, 14, 53, ...] .text afd.sys!dlNQSajug___bhdPDrg_exc_N + 120 9142EDCB 103 Bytes [74, 26, A1, 08, E4, 43, 91, ...] .text afd.sys!dlNQSajug___bhdPDrg_exc_N + 188 9142EE33 385 Bytes [AB, AB, AB, 8B, 45, 10, 89, ...] .text afd.sys!XESIWOYUUti__htutxXYY_IpfnoUD + D9 9142EFB6 225 Bytes [8B, 46, 44, 6B, C0, 30, 3B, ...] .text afd.sys!XESIWOYUUti__htutxXYY_IpfnoUD + 1BB 9142F098 132 Bytes [74, 11, 8B, 86, 8C, 00, 00, ...] .text afd.sys!XESIWOYUUti__htutxXYY_IpfnoUD + 240 9142F11D 72 Bytes JMP 9142F4D7 \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) .text afd.sys!XESIWOYUUti__htutxXYY_IpfnoUD + 289 9142F166 16 Bytes [73, 14, FF, 73, 18, FF, 73, ...] .text afd.sys!XESIWOYUUti__htutxXYY_IpfnoUD + 29A 9142F177 5 Bytes [8A, 15, 12, E0, 43] .text ... .text afd.sys!uot_tAWCPMaanmiWUTyPX_VG_pqjdw__wp_bu_nwfL + 14F 91430C36 212 Bytes [CF, FF, 15, 40, C3, 43, 91, ...] .text afd.sys!JADEVJLW_TAE_oF_fKOR + 12 91430D0B 36 Bytes [FF, 35, 04, E4, 43, 91, FF, ...] .text afd.sys!JADEVJLW_TAE_oF_fKOR + 37 91430D30 281 Bytes [75, 33, 3B, C3, 7C, 2F, A1, ...] .text afd.sys!JADEVJLW_TAE_oF_fKOR + 151 91430E4A 205 Bytes [FF, FF, FF, 89, 9D, 7C, FF, ...] .text afd.sys!jfm_j_wquoNI_U_PSw_fkFJKBsxu___Y_T__X_TWIM_CTAhlko + 5 91430F18 650 Bytes [8D, 7D, F0, AB, AB, 89, 4D, ...] .text afd.sys!b_PFBOe___aogSTIIS_wwd_etqxrv_o_le + 4B 914311A3 13 Bytes [00, 02, 88, 45, C8, 8D, 45, ...] .text afd.sys!b_PFBOe___aogSTIIS_wwd_etqxrv_o_le + 59 914311B1 3 Bytes [80, 7D, 2C] .text afd.sys!b_PFBOe___aogSTIIS_wwd_etqxrv_o_le + 5D 914311B5 22 Bytes [5F, 5B, 74, 42, 83, 3D, 9C, ...] .text afd.sys!b_PFBOe___aogSTIIS_wwd_etqxrv_o_le + 74 914311CC 82 Bytes [7D, 08, 01, 75, 2A, A1, 08, ...] .text afd.sys!b_PFBOe___aogSTIIS_wwd_etqxrv_o_le + C7 9143121F 82 Bytes [FC, 8B, 45, 1C, 8B, 4D, 28, ...] .text ... .text afd.sys!bqnvdzi_wiq_YQI___um__a_c_ + 7 9143136E 248 Bytes [C0, 74, 21, 6A, 02, 68, 10, ...] .text afd.sys!bqnvdzi_wiq_YQI___um__a_c_ + 100 91431467 238 Bytes [02, B0, 01, 5D, C2, 0C, 00, ...] .text afd.sys!bqnvdzi_wiq_YQI___um__a_c_ + 1EF 91431556 254 Bytes [FE, FF, FF, 89, B5, EC, FE, ...] .text afd.sys!bqnvdzi_wiq_YQI___um__a_c_ + 2EE 91431655 296 Bytes [08, 66, 89, 85, 6E, FF, FF, ...] .text afd.sys!bqnvdzi_wiq_YQI___um__a_c_ + 417 9143177E 21 Bytes CALL 9142E3D6 \SystemRoot\system32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) .text ... ? C:\Windows\system32\drivers\afd.sys suspicious PE modification .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91A35000, 0x2F786C, 0xE8000020] .text USBPORT.SYS!DllUnload 919A8CA0 5 Bytes JMP 867981D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 77055360 5 Bytes JMP 009D000A .text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtWriteVirtualMemory 77055EE0 5 Bytes JMP 00A2000A .text C:\Windows\system32\svchost.exe[972] ntdll.dll!KiUserExceptionDispatcher 77056448 5 Bytes JMP 009C000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1216] USER32.dll!TrackPopupMenu 76194B3B 4 Bytes JMP 62CD9A84 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!SetScrollRange 7616AE3C 5 Bytes JMP 01DD9B59 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!GetScrollInfo 76175151 7 Bytes JMP 01DD9A8B C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!SetScrollInfo 76176632 7 Bytes JMP 01DD9B03 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!GetScrollRange 76191B6C 5 Bytes JMP 01DD9AD8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!SetScrollPos 76191BD0 5 Bytes JMP 01DD9B2E C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!GetScrollPos 7619252B 5 Bytes JMP 01DD9AB3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!EnableScrollBar 7619386D 7 Bytes JMP 01DD9A63 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[1768] USER32.dll!ShowScrollBar 76195785 5 Bytes JMP 01DD9B87 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2140] ntdll.dll!LdrLoadDll 7706F585 5 Bytes JMP 00F113F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BA3F042] \SystemRoot\System32\Drivers\spce.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BA3F6D6] \SystemRoot\System32\Drivers\spce.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BA3F800] \SystemRoot\System32\Drivers\spce.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BA3F13E] \SystemRoot\System32\Drivers\spce.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3264] @ C:\Windows\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [750B5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3264] @ C:\Windows\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [750B5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3264] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750B5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750B5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3264] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [750B5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 855451F8 Device \Driver\volmgr \Device\VolMgrControl 855401F8 Device \Driver\usbuhci \Device\USBPDO-0 867991F8 Device \Driver\usbuhci \Device\USBPDO-1 867991F8 Device \Driver\usbuhci \Device\USBPDO-2 867991F8 Device \Driver\usbehci \Device\USBPDO-3 86776500 Device \Driver\usbuhci \Device\USBPDO-4 867991F8 Device \Driver\usbuhci \Device\USBPDO-5 867991F8 Device \Driver\usbuhci \Device\USBPDO-6 867991F8 Device \Driver\volmgr \Device\HarddiskVolume1 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 86776500 Device \Driver\volmgr \Device\HarddiskVolume2 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 8664A1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 855421F8 Device \Driver\atapi \Device\Ide\IdePort0 855421F8 Device \Driver\atapi \Device\Ide\IdePort1 855421F8 Device \Driver\atapi \Device\Ide\IdePort2 855421F8 Device \Driver\atapi \Device\Ide\IdePort3 855421F8 Device \Driver\atapi \Device\Ide\IdePort4 855421F8 Device \Driver\atapi \Device\Ide\IdePort5 855421F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 855421F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 855431F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 855431F8 Device \Driver\msahci \Device\Ide\PciIde0Channel2 855431F8 Device \Driver\msahci \Device\Ide\PciIde0Channel3 855431F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 855431F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 855431F8 Device \Driver\volmgr \Device\HarddiskVolume3 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume4 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume5 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000075 86BE71F8 Device \Driver\USBSTOR \Device\00000076 86BE71F8 Device \Driver\volmgr \Device\HarddiskVolume6 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000077 86BE71F8 Device \Driver\volmgr \Device\HarddiskVolume7 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 866901F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0C40448B-8A2B-4284-A0DE-70203240667F} 866901F8 Device \Driver\USBSTOR \Device\00000078 86BE71F8 Device \Driver\volmgr \Device\HarddiskVolume8 855401F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000079 86BE71F8 Device \Driver\usbuhci \Device\USBFDO-0 867991F8 Device \Driver\usbuhci \Device\USBFDO-1 867991F8 Device \Driver\usbuhci \Device\USBFDO-2 867991F8 Device \Driver\usbehci \Device\USBFDO-3 86776500 Device \Driver\usbuhci \Device\USBFDO-4 867991F8 Device \Driver\usbuhci \Device\USBFDO-5 867991F8 Device \Driver\usbuhci \Device\USBFDO-6 867991F8 Device \Driver\usbehci \Device\USBFDO-7 86776500 ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 8C1D8000-8C1F7000 (126976 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x00 0x93 0x24 0xE1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x00 0x93 0x24 0xE1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEE 0x63 0x9E 0x31 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9F 0x7B 0x3A 0x6E ... ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB29054$\3496923886 0 bytes File C:\Windows\$NtUninstallKB29054$\769612961 0 bytes File C:\Windows\$NtUninstallKB29054$\769612961\@ 2048 bytes File C:\Windows\$NtUninstallKB29054$\769612961\bckfg.tmp 764 bytes File C:\Windows\$NtUninstallKB29054$\769612961\cfg.ini 342 bytes File C:\Windows\$NtUninstallKB29054$\769612961\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB29054$\769612961\keywords 0 bytes File C:\Windows\$NtUninstallKB29054$\769612961\kwrd.dll 223744 bytes File C:\Windows\$NtUninstallKB29054$\769612961\L 0 bytes File C:\Windows\$NtUninstallKB29054$\769612961\L\xadqgnnk 338944 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U 0 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U\00000001.@ 1536 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U\80000000.@ 1024 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U\80000004.@ 12800 bytes File C:\Windows\$NtUninstallKB29054$\769612961\U\80000032.@ 98304 bytes ---- EOF - GMER 1.0.15 ----