GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-09 18:56:25 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-80A0RT0 rev.01.01A01 298,09GB Running: 8sjq0dw6.exe; Driver: C:\Users\aaa\AppData\Local\Temp\uwdiapow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 82E77B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB1BF2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text D:\AAAProgramy\Firefox\firefox.exe[3524] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75D795DE 7 Bytes JMP 5F2750C2 D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\firefox.exe[3524] kernel32.dll!QueryPerformanceCounter + 13 75D7C5E5 7 Bytes JMP 5F275ABC D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\firefox.exe[3524] kernel32.dll!LoadAppInitDlls + 355 75D7F6A6 7 Bytes JMP 5EFE5747 D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\firefox.exe[3524] USER32.dll!CreateWindowExA 75E1BF48 5 Bytes JMP 5F35B40F D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\firefox.exe[3524] USER32.dll!CreateWindowExW 75E1EC84 5 Bytes JMP 5EFC32C7 D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\firefox.exe[3524] USER32.dll!GetWindowInfo 75E24B66 5 Bytes JMP 5FD83F44 D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\firefox.exe[3524] GDI32.dll!GetViewportOrgEx + 26C 760B87DB 7 Bytes JMP 5F2749EB D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\plugin-container.exe[3924] USER32.dll!CreateWindowExA 75E1BF48 5 Bytes JMP 5F35B40F D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\plugin-container.exe[3924] USER32.dll!CreateWindowExW 75E1EC84 5 Bytes JMP 5EFC32C7 D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\plugin-container.exe[3924] USER32.dll!GetWindowInfo 75E24B66 5 Bytes JMP 5FC51162 D:\AAAProgramy\Firefox\xul.dll .text D:\AAAProgramy\Firefox\plugin-container.exe[3924] USER32.dll!ToUnicodeEx + 71 75E3223B 7 Bytes JMP 5FC4F883 D:\AAAProgramy\Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateFile + 6 777655F2 4 Bytes [28, 28, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateFile + B 777655F7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateKey + 6 77765632 4 Bytes [68, 29, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateKey + B 77765637 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateMutant + 6 77765672 4 Bytes [68, 2A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateMutant + B 77765677 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateSection + 6 77765712 4 Bytes [A8, 2A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtCreateSection + B 77765717 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtMapViewOfSection + B 77765C57 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenFile + 6 77765D02 4 Bytes [68, 28, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenFile + B 77765D07 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenKey + 6 77765D32 4 Bytes [A8, 29, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenKey + B 77765D37 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenKeyEx + B 77765D47 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenMutant + 6 77765D82 4 Bytes [28, 2A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenMutant + B 77765D87 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenProcess + 6 77765DB2 4 Bytes [68, 2B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenProcess + B 77765DB7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenProcessToken + 6 77765DC2 4 Bytes [A8, 2B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenProcessToken + B 77765DC7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenProcessTokenEx + 6 77765DD2 4 Bytes [68, 2C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenProcessTokenEx + B 77765DD7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenSection + B 77765DF7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenThread + 6 77765E32 4 Bytes [28, 2B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenThread + B 77765E37 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenThreadToken + 6 77765E42 4 Bytes [28, 2C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenThreadToken + B 77765E47 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenThreadTokenEx + 6 77765E52 4 Bytes [A8, 2C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtOpenThreadTokenEx + B 77765E57 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtQueryAttributesFile + 6 77765F62 4 Bytes [A8, 28, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtQueryAttributesFile + B 77765F67 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtQueryFullAttributesFile + B 77766017 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtSetInformationFile + 6 77766662 4 Bytes [28, 29, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtSetInformationFile + B 77766667 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtSetInformationThread + B 777666C7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtUnmapViewOfSection + 6 777669E2 4 Bytes [28, 2D, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ntdll.dll!NtUnmapViewOfSection + B 777669E7 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] kernel32.dll!CreateProcessW 75D3204D 5 Bytes JMP 00180030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] kernel32.dll!CreateProcessA 75D32082 5 Bytes JMP 00180070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!ActivateKeyboardLayout 75E1820B 5 Bytes JMP 002304F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!ScreenToClient 75E1A50E 7 Bytes JMP 00230670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!RegisterClipboardFormatA 75E1C099 5 Bytes JMP 002302F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!RegisterClipboardFormatW 75E1DF95 5 Bytes JMP 002302B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!SetCursor 75E2307D 5 Bytes JMP 00230530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!MonitorFromWindow 75E2362A 7 Bytes JMP 00230630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!PostMessageW 75E24483 5 Bytes JMP 002305F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!IsWindowVisible 75E24D71 7 Bytes JMP 002306B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClientRect 75E254ED 7 Bytes JMP 002305B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!MapWindowPoints 75E25CBA 5 Bytes JMP 00230570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetParent 75E26039 7 Bytes JMP 002306F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!EmptyClipboard 75E32924 5 Bytes JMP 00230130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!SetClipboardData 75E3297A 5 Bytes JMP 00230170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClipboardData 75E32BBF 5 Bytes JMP 00230030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClipboardFormatNameW 75E35FEA 5 Bytes JMP 00230230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!SetClipboardViewer 75E3700E 5 Bytes JMP 002304B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClipboardFormatNameA 75E37022 5 Bytes JMP 00230270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!ChangeClipboardChain 75E41494 5 Bytes JMP 00230430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetTopWindow 75E424F1 7 Bytes JMP 00230730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!CloseClipboard 75E44484 5 Bytes JMP 002300B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!OpenClipboard 75E44496 5 Bytes JMP 00230070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!IsClipboardFormatAvailable 75E44517 5 Bytes JMP 002300F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClipboardSequenceNumber 75E4452B 5 Bytes JMP 00230330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClipboardOwner 75E4453D 5 Bytes JMP 00230370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!CountClipboardFormats 75E44721 5 Bytes JMP 002301F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!EnumClipboardFormats 75E44803 5 Bytes JMP 002301B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetOpenClipboardWindow 75E44822 5 Bytes JMP 002303F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!SetCursorPos 75E5C266 5 Bytes JMP 00230770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetClipboardViewer 75E74BCB 5 Bytes JMP 00230470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] user32.DLL!GetPriorityClipboardFormat 75E74CCD 5 Bytes JMP 002303B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!DeleteObject 760B5F14 5 Bytes JMP 002401B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SelectObject 760B6640 5 Bytes JMP 002405F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetTextColor 760B6906 5 Bytes JMP 00240A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetBkMode 760B69B1 5 Bytes JMP 002408F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!DeleteDC 760B6EAA 5 Bytes JMP 00240170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetDeviceCaps 760B6F7F 5 Bytes JMP 002403B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!ExtSelectClipRgn 760B7114 5 Bytes JMP 002402F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SelectClipRgn 760B7242 5 Bytes JMP 002405B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetCurrentObject 760B782B 5 Bytes JMP 00240370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetStretchBltMode 760B7872 5 Bytes JMP 002406B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextMetricsW 760B7B1F 5 Bytes JMP 00240E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextAlign 760B7D3F 5 Bytes JMP 00240D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!IntersectClipRect 760B7D8E 5 Bytes JMP 002403F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!ExtTextOutW 760B8122 5 Bytes JMP 00240970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetTextAlign 760B821E 5 Bytes JMP 002409F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetClipBox 760B84B5 5 Bytes JMP 00240330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!MoveToEx 760B8BB1 5 Bytes JMP 00240470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!StretchDIBits 760BA204 5 Bytes JMP 00240770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!RestoreDC 760BA341 5 Bytes JMP 00240530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SaveDC 760BA411 5 Bytes JMP 00240570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextExtentPoint32W 760BB17D 5 Bytes JMP 00240670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextFaceW 760BB402 5 Bytes JMP 00240D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetFontData 760BB98C 5 Bytes JMP 00240C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!CreateDCA 760BBDC9 5 Bytes JMP 002400B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!CreateDCW 760BC099 5 Bytes JMP 002400F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!CreateICW 760BC0F0 5 Bytes JMP 00240130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetWorldTransform 760BCD04 5 Bytes JMP 002406F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextMetricsA 760BD328 5 Bytes JMP 00240DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!Rectangle 760BF1BD 5 Bytes JMP 002409B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!LineTo 760BF559 5 Bytes JMP 00240430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetICMMode 760BFA62 5 Bytes JMP 00240DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!ExtTextOutA 760C0CDE 5 Bytes JMP 00240930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextExtentPoint32A 760C113D 5 Bytes JMP 00240630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!ExtEscape 760C2D09 5 Bytes JMP 002402B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!Escape 760C33C0 5 Bytes JMP 00240270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!ResetDCW 760C3A5B 5 Bytes JMP 00240AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!EndPage 760C409A 5 Bytes JMP 00240230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetPolyFillMode 760C6741 5 Bytes JMP 00240B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SetMiterLimit 760C68FD 5 Bytes JMP 00240B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetTextFaceA 760D0C82 5 Bytes JMP 00240CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!GetGlyphOutlineW 760DC3A2 5 Bytes JMP 00240CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!CreateScalableFontResourceW 760DEA07 5 Bytes JMP 00240BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!AddFontResourceW 760DEE03 5 Bytes JMP 00240BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!RemoveFontResourceW 760DF2F9 5 Bytes JMP 00240C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!AbortDoc 760E4FAB 5 Bytes JMP 00240030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!EndDoc 760E53F2 5 Bytes JMP 002401F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!StartPage 760E54DD 5 Bytes JMP 00240730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!StartDocW 760E5EF8 5 Bytes JMP 002407F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!BeginPath 760E66A5 5 Bytes JMP 00240830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!SelectClipPath 760E66FC 5 Bytes JMP 00240AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!CloseFigure 760E6757 5 Bytes JMP 00240070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!EndPath 760E67AE 5 Bytes JMP 00240A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!StrokePath 760E69E1 5 Bytes JMP 002407B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!FillPath 760E6A6E 5 Bytes JMP 00240870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!PolylineTo 760E6EDC 5 Bytes JMP 002404F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!PolyBezierTo 760E6F6D 5 Bytes JMP 002404B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] GDI32.dll!PolyDraw 760E701F 5 Bytes JMP 002408B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ole32.dll!OleSetClipboard 774201DE 5 Bytes JMP 00260030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ole32.dll!OleIsCurrentClipboard 7742365E 5 Bytes JMP 00260070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe[3984] ole32.dll!OleGetClipboard 7744FD75 5 Bytes JMP 002600B0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [742F5635] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742F56F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743124A2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7431251D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74308581] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74304D35] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743050DC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743051B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [743066DE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743082D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74308827] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74309088] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7430E22B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[1392] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74304C67] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\ASUS\ControlDeck\ControlDeck.exe 0x76 0x58 0xB2 0x21 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x5D 0x4B 0x91 0x9A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0xF4 0xAB 0x2C 0xFE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\EA Sports\FIFA 11\Game\fifasetup\fifaconfig.exe 0x5A 0xC3 0xFA 0xEC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x9F 0xA8 0xD3 0x93 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xAB 0x6F 0xB6 0x99 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\The Sims 3\Game\Bin\Sims3Launcher.exe 0xD6 0xC6 0x8E 0xAD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Simcity\SimCitySocieties.exe 0xC2 0x39 0xB2 0x27 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Simcity\Launcher\SCSocietiesLauncher.exe 0x9C 0x3C 0x4E 0x1C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x45 0xF9 0x02 0x66 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\{0F21644D-F913-43EE-A2D7-B8A9425F988F}\dotnetinstaller.exe 0xE9 0xA3 0x5A 0xFB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\{0F21644D-F913-43EE-A2D7-B8A9425F988F}\{B7666229-351B-47D9-AA6F-DF777CF04BBF}\DXSETUP.exe 0xD8 0x79 0x30 0xE3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Cezar IV\C4Exec.exe 0x0F 0x42 0x1E 0x71 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\{14116CE2-067F-479B-9E1C-46816F70B2EF}\{B7666229-351B-47D9-AA6F-DF777CF04BBF}\AnsiToUni.exe 0x03 0x3B 0xBF 0xED ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Cezar IV\CaesarIV.exe 0x75 0xC8 0xB3 0x75 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\ASUS\Fast Boot\FastBoot.exe 0x9B 0x77 0xEF 0xC3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehshell.exe 0x6B 0x69 0xAC 0x08 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcupdate.exe 0x15 0xDB 0xA9 0xF1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehrec.exe 0xC0 0x78 0x72 0x62 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcGlidHost.exe 0x48 0xE3 0x17 0x61 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe 0xB5 0x39 0x48 0x5F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\The Sims 3\Game\Bin\Sims3LauncherW.exe 0xB1 0x0D 0x2E 0xCF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\The Sims 3\The Sims 3\Game\Bin\Sims3LauncherW.exe 0x33 0xA3 0x03 0xB6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\The Sims 3\The Sims 3 Basic\Game\Bin\Sims3Launcher.exe 0x9E 0x0E 0x5A 0xEB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WerFault.exe 0x5C 0x56 0xDB 0x02 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\The Sims 3\The Sims 3 Basic\Game\Bin\Sims3LauncherW.exe 0xE3 0xB5 0x84 0xA0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Gry\Dragon Age Origins Ultimate Edition\dedaodrm.exe 0xDC 0x76 0x34 0xCD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\AAAProgramy\TeamSpeak3\OverwolfTeamSpeakInstaller.exe 0xC5 0xFB 0x07 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\RarSFX0\Launcher.exe 0x3F 0x63 0x7C 0xAF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\VersionChecker.exe 0x46 0x25 0x95 0x2E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Temp\CEB6.tmp 0xF3 0x2B 0x9F 0x9B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Temp\CF26.tmp 0x78 0x54 0x3E 0x9C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Sound+\idscservice.exe 0x0A 0x58 0xC9 0xAC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x20 0xE6 0xEC 0xAC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\O29DY5X93A\testversion.exe 0x4A 0x5B 0xD3 0xBB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\SpaceSoundPro\idscservice.exe 0x1E 0x76 0xCA 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\KH0A1QL0TS\testversion.exe 0xDC 0x22 0xC5 0x20 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\nso5EAC.tmp 0xE2 0xB1 0x66 0x39 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\nsy476A.tmp 0xBA 0xC9 0x24 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x5F 0xC1 0x5F 0x23 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x87 0xCB 0x4A 0x96 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xE8 0x67 0x4E 0xC7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x33 0x46 0x76 0x87 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTelRunner.exe 0x24 0xA1 0x8A 0x11 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\nso5E75.tmp 0x39 0x05 0xEF 0x81 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\aaa\AppData\Local\Temp\fsd4E41.exe 0xAC 0x7E 0x12 0xAE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@C1D7C5F7 2129 ---- Files - GMER 2.1 ---- File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\2FEB22E23A052A5AE5E399B57D5C1848241977D1 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\F95740EEA12B0D96C302B4A0280932185A0FEEDD 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\64368C67F890874A1C419E99B0421A5E4D3FAB43 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\3954EDD63B2DCCA6B4B2B3B9A24E9C7E2B0C7AE6 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\9CD622C534AA721211F40289FA016D7865538179 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\6723C1AD5AFB9A6DC284633A60D4FC48B0A47E53 2336 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\DB3F3EB6C4EBDE0BC5BFB4B444BE179A2D5663B1 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\EB0FFED4E70F3E88E2AAC9B4F5454D7065AC29AE 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\496685896E1D24865AB84C9C3FD726A8E38417A4 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\55487D83AFDFB2F43537CADAFA95ABD84C343687 2336 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\9617372E9F83EEC59C842FF362883C976CF1405E 2336 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\EDA959C367389F71BBBCE22724FD8F173237B6D4 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\11DC88AC84F3336DFFD12D0EA4FB7ED432CFA26B 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\8D03A3D21EACFF15CDFC3225E4D410D499C8D9BC 2336 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\0527FAA1C94A4C28365306F9C6B7419D1A059498 2337 bytes File C:\Users\aaa\AppData\Local\Mozilla\Firefox\Profiles\cl17x9pc.default\cache2\entries\A7A6512BDF3F01BCBDD2E1A3A3F19E47A0C57156 2337 bytes ---- EOF - GMER 2.1 ----