GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-06 18:39:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.01.0 931,51GB Running: ol0wg8ey.exe; Driver: C:\Users\WACICI~1\AppData\Local\Temp\kxliauod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d61465 2 bytes [D6, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d614bb 2 bytes [D6, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2672] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000732311a8 2 bytes [23, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2672] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000732313a8 2 bytes [23, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2672] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073231422 2 bytes [23, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2672] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073231498 2 bytes [23, 73] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d61465 2 bytes [D6, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d614bb 2 bytes [D6, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3684] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595a30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077dafaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077dafb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077dafc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077db0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077db1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dcc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077dd1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007595a30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000076f9ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000076fa3982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076fa7603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076fa835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000076fbf52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077d61465 2 bytes [D6, 77] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077d614bb 2 bytes [D6, 77] .text ... * 2 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bd3ae0 5 bytes JMP 000000010045075c .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bd7a90 5 bytes JMP 00000001004503a4 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077c01490 5 bytes JMP 0000000100450b14 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077c014f0 5 bytes JMP 0000000100450ecc .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 000000010045163c .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077c01810 5 bytes JMP 0000000100451284 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 00000001004519f4 .text C:\Windows\notepad.exe[2060] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffe06e00 5 bytes JMP 000007ff7fe21dac .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffe06f2c 5 bytes JMP 000007ff7fe20ecc .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffe07220 5 bytes JMP 000007ff7fe21284 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffe0739c 5 bytes JMP 000007ff7fe2163c .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffe07538 5 bytes JMP 000007ff7fe219f4 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffe075e8 5 bytes JMP 000007ff7fe203a4 .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffe0790c 5 bytes JMP 000007ff7fe2075c .text C:\Windows\notepad.exe[2060] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffe07ab4 5 bytes JMP 000007ff7fe20b14 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bd3ae0 5 bytes JMP 00000001002d075c .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bd7a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077c01490 5 bytes JMP 00000001002d0b14 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077c014f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001002d163c .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077c01810 5 bytes JMP 00000001002d1284 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 00000001002d19f4 .text C:\Windows\notepad.exe[1016] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffe06e00 5 bytes JMP 000007ff7fe21dac .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffe06f2c 5 bytes JMP 000007ff7fe20ecc .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffe07220 5 bytes JMP 000007ff7fe21284 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffe0739c 5 bytes JMP 000007ff7fe2163c .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffe07538 5 bytes JMP 000007ff7fe219f4 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffe075e8 5 bytes JMP 000007ff7fe203a4 .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffe0790c 5 bytes JMP 000007ff7fe2075c .text C:\Windows\notepad.exe[1016] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffe07ab4 5 bytes JMP 000007ff7fe20b14 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077dafaa0 5 bytes JMP 0000000100030600 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077dafb38 5 bytes JMP 0000000100030804 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077dafc90 5 bytes JMP 0000000100030c0c .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077db0018 5 bytes JMP 0000000100030a08 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077db1900 5 bytes JMP 0000000100030e10 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dcc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077dd1217 5 bytes JMP 00000001000303fc .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007595a30a 1 byte [62] .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077465181 5 bytes JMP 0000000100241014 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077465254 5 bytes JMP 0000000100240804 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000774653d5 5 bytes JMP 0000000100240a08 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000774654c2 5 bytes JMP 0000000100240c0c .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000774655e2 5 bytes JMP 0000000100240e10 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007746567c 5 bytes JMP 00000001002401f8 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007746589f 5 bytes JMP 00000001002403fc .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077465a22 5 bytes JMP 0000000100240600 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f9ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076fa3982 5 bytes JMP 00000001002503fc .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076fa7603 5 bytes JMP 0000000100250804 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076fa835c 5 bytes JMP 0000000100250600 .text C:\Users\Właściciel\Downloads\ol0wg8ey.exe[4936] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076fbf52b 5 bytes JMP 0000000100250a08 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!InitSafeBootMode] [fffff80002da2810] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx] [fffff80002c6ec60] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ExDeleteResourceLite] [fffff80003006b40] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoCreateSymbolicLink] [fffff80002ca7cb0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlCopyUnicodeString] [fffff80002d2eca0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoInitializeRemoveLockEx] [fffff80002cb3650] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ExInitializeResourceLite] [fffff80002dc50e0] \SystemRoot\system32\ntoskrnl.exe [POOLCODE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ExFreePoolWithTag] [fffff80002c8b8c0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwDeleteValueKey] [fffff80002c8ada0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwSetValueKey] [fffff80002c8a380] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwClose] [fffff80002c8ba60] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwFlushKey] [fffff80002c8b860] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwDeleteKey] [fffff80002f30008] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlCompareUnicodeString] [fffff80002c7af04] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoReleaseRemoveLockEx] [fffff80002c9ad60] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IofCompleteRequest] [fffff80002c8a260] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwReadFile] [fffff80002c8a680] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwSetInformationFile] [fffff80002c8ac40] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwCreateFile] [fffff80002c8a840] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwQueryDirectoryFile] [fffff80002c8a800] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwOpenFile] [fffff80002c8a3c0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwQueryInformationFile] [fffff80002c8a2a0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwWriteFile] [fffff80002c8d2a0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwUnloadKey] [fffff80002c8bda0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwLoadKey] [fffff80002c8a3e0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwOpenKey] [fffff80002c5e760] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!_wcsicmp] [fffff80002c8a7e0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwEnumerateKey] [fffff80002c8a540] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwCreateKey] [fffff80002c8a480] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwQueryValueKey] [fffff80002c8a400] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwEnumerateValueKey] [fffff80002c88500] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!strncmp] [fffff80002cdf4f8] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!_strlwr] [fffff80002c3c808] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!PsGetProcessImageFileName] [fffff80002f64e0c] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!PsLookupProcessByProcessId] [fffff80002c8c720] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwQuerySymbolicLinkObject] [fffff80002c96140] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!KeSetEvent] [fffff80002ca0950] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoFreeWorkItem] [fffff80002c9d5c0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!KeInitializeEvent] [fffff80002c8c1a0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwOpenSymbolicLinkObject] [fffff80002ca08f8] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoAllocateWorkItem] [fffff80002f11330] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlPrefixUnicodeString] [fffff80002ca043c] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!KeQueryTimeIncrement] [fffff80002c987f0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!KeWaitForSingleObject] [fffff80002c9ad70] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ObfDereferenceObject] [fffff80002c8b680] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwCreateSymbolicLinkObject] [fffff80002ca03c8] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoQueueWorkItem] [fffff80002c91c00] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!KeBugCheckEx] [fffff80002efe4b0] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoCreateDevice] [fffff80002f6ffdc] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ObOpenObjectByPointer] [fffff80002c8cf20] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!ZwSetSecurityObject] [fffff80002ec9608] \SystemRoot\system32\ntoskrnl.exe [ALMOSTRO] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoDeviceObjectType] [fffff80002cdf41c] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!_snwprintf] [fffff80002fa4cd0] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlLengthSecurityDescriptor] [fffff80002f5a580] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!SeCaptureSecurityDescriptor] [fffff80002f04cf0] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlCreateSecurityDescriptor] [fffff80002f276e0] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlSetDaclSecurityDescriptor] [fffff80002ee79f0] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD] [fffff80003006610] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!IoIsWdmVersionAvailable] [fffff8000315e130] \SystemRoot\system32\ntoskrnl.exe [PAGEDATA] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!SeExports] [fffff80002c32be4] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!wcschr] [fffff80002c51ed0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!_wcsnicmp] [fffff80002c60c9c] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlLengthSid] [fffff80002f04ccc] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlAddAccessAllowedAce] [fffff80002f57688] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlGetSaclSecurityDescriptor] [fffff80002c6cfe4] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlGetDaclSecurityDescriptor] [fffff80003000560] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlGetGroupSecurityDescriptor] [fffff800030005b0] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlGetOwnerSecurityDescriptor] [fffff80002f4a268] \SystemRoot\system32\ntoskrnl.exe [PAGE] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!RtlFreeUnicodeString] [fffff80002d1fcb0] \SystemRoot\system32\ntoskrnl.exe [.text] IAT C:\Windows\System32\Drivers\aswRvrt.sys[ntoskrnl.exe!PsGetVersion] [?] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [412:1604] 000007fef9f60ea8 Thread C:\Windows\system32\svchost.exe [412:924] 000007fef9f59db0 Thread C:\Windows\system32\svchost.exe [412:2072] 000007fef9f61c94 Thread C:\Windows\system32\svchost.exe [412:2420] 000007fef9f5aa10 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{15E4B358-0806-4EF1-8346-2AA509D3C208}\Connection@Name 6TO4 Adapter Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{15E4B358-0806-4EF1-8346-2AA509D3C208}?\Device\{C5B574BF-7DC6-4B91-95E6-39DA22A2BA91}?\Device\{2D899318-12EB-481F-9641-D0B74065EDDD}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{15E4B358-0806-4EF1-8346-2AA509D3C208}"?"{C5B574BF-7DC6-4B91-95E6-39DA22A2BA91}"?"{2D899318-12EB-481F-9641-D0B74065EDDD}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{15E4B358-0806-4EF1-8346-2AA509D3C208}?\Device\TCPIP6TUNNEL_{C5B574BF-7DC6-4B91-95E6-39DA22A2BA91}?\Device\TCPIP6TUNNEL_{2D899318-12EB-481F-9641-D0B74065EDDD}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 693 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 302 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4325B531-98BA-464B-AD51-B0F23EA6E576}@DhcpIPAddress 78.8.202.229 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 69 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 3224929 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3AD1AB52-3E57-8660-69A9-FCE3E8553352} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3AD1AB52-3E57-8660-69A9-FCE3E8553352}@hakpghfenoakognl 0x6A 0x61 0x66 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3AD1AB52-3E57-8660-69A9-FCE3E8553352}@iaeamifgphdfcnccbj 0x63 0x61 0x62 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3AD1AB52-3E57-8660-69A9-FCE3E8553352}@iaapemlamacecpkmip 0x6A 0x61 0x66 0x67 ... ---- Files - GMER 2.1 ---- File C:\Users\Właściciel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75Q0N4J6\xml[1].xml 136872 bytes File C:\Users\Właściciel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZT7VG8S4\incalladwidget[1].htm 1461 bytes File C:\Users\Właściciel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZT7VG8S4\all[1].js 178332 bytes File C:\Users\Właściciel\AppData\Local\Temp\tmpC4C9.tmp 189288 bytes executable File C:\Users\Właściciel\AppData\Roaming\Skype\shared.xml (size mismatch) 66466/65142 bytes executable ---- EOF - GMER 2.1 ----