GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-31 18:40:08 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\00000029 WDC_WD1600BEVS-00RST0 rev.04.01G04 149,05GB Running: gmer.exe; Driver: C:\Users\MR92DE~1.ROB\AppData\Local\Temp\agxdiaoc.sys ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1547 81D8E8DD 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 622 81D93082 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? C:\Windows\system32\drivers\flowhlp.dat Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90F71000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[4048] SHELL32.dll!SHPropStgWriteMultiple 756E5A0C 4 Bytes [60, 1B, DE, 64] .text C:\Windows\Explorer.EXE[4048] SHELL32.dll!SHPropStgWriteMultiple 756E5C3C 4 Bytes [60, 48, 3C, 07] {PUSHA ; DEC EAX; CMP AL, 0x7} .text C:\Windows\Explorer.EXE[4048] SHELL32.dll!SHPropStgWriteMultiple 756E5C4C 4 Bytes [30, 11, 02, 6C] .text C:\Windows\Explorer.EXE[4048] SHELL32.dll!SHPropStgWriteMultiple 756E67AD 3 Bytes [4D, 3C, 07] {DEC EBP; CMP AL, 0x7} .text C:\Windows\Explorer.EXE[4048] SHELL32.dll!SHPropStgWriteMultiple 756F5300 4 Bytes [00, 63, 01, 6C] {ADD [EBX+0x1], AH; INS BYTE [ES:EDI], DX} .text ... ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[4048] @ C:\Windows\Explorer.EXE [KERNEL32.dll!MulDiv] [6C024FA0] C:\Users\Mr. Robot\AppData\Local\StartIsBack\StartIsBack32.dll IAT C:\Windows\Explorer.EXE[4048] @ C:\Windows\Explorer.EXE [USER32.dll!TrackPopupMenuEx] [6C023900] C:\Users\Mr. Robot\AppData\Local\StartIsBack\StartIsBack32.dll IAT C:\Windows\Explorer.EXE[4048] @ C:\Windows\Explorer.EXE [USER32.dll!SetWindowCompositionAttribute] [6C024FF0] C:\Users\Mr. Robot\AppData\Local\StartIsBack\StartIsBack32.dll IAT C:\Windows\Explorer.EXE[4048] @ C:\Windows\Explorer.EXE [USER32.dll!PeekMessageW] [6C024620] C:\Users\Mr. Robot\AppData\Local\StartIsBack\StartIsBack32.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys ---- Services - GMER 2.2 ---- Service C:\Windows\system32\drivers\flowhlp.dat (*** hidden *** ) [BOOT] flowhlp <-- ROOTKIT !!! Service C:\Windows\system32\drivers\KuaiZipDrive.sys (*** hidden *** ) [DISABLED] KuaiZipDrive <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x30 0xA2 0x1A 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xE3 0xF7 0x64 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 54 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LPL01200_00_07D8_48^B24555F845208D88E02FFFCE61E93293@Timestamp 0xFB 0xE9 0xBB 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 680 Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 143 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\service.exe??\??\C:\Windows\system32\drivers\KuaiZipDrive.sys??\??\C:\Program Files\????\??\??\C:\Program Files\????\??\??\C:\Users\Mr. Robot\AppData\Local\IconCache.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db??\??\C:\Users\Mr. Robot\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db??\??\C Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1220480813 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID ad1ecf48-c56d-495f-9a8b-28457eb Reg HKLM\SYSTEM\CurrentControlSet\Control\USB\ceip@UsbCeipTaskLastRunTimestamp 0xF2 0x1A 0x01 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{43f58a9f-c154-4914-b3ae-ab20e9c71b4c} Reg HKLM\SYSTEM\CurrentControlSet\Services\1394ohci\Parameters\Wdf@TimeOfLastTelemetryLog 0x0D 0x81 0x97 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a8ce9fc Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a8ce9fc@001d6ec43479 0x20 0xA3 0xB7 0xB6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x2A 0x57 0xCE 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x94 0x46 0x39 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{903f191b-ee89-444e-91b8-3b3c6dbffbe4}@LastProbeTime 1490891970 Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@CategoryCount 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@TypesSupported 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@CategoryMessageFile C:\Program Files\Google\Chrome\Application\57.0.2987.133\eventlog_provider.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@EventMessageFile C:\Program Files\Google\Chrome\Application\57.0.2987.133\eventlog_provider.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@ParameterMessageFile C:\Program Files\Google\Chrome\Application\57.0.2987.133\eventlog_provider.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xE6 0x7B 0x67 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0xE3 0xA8 0x3B 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1f-c6-36-ea-25@AddressCreationTimestamp 0x22 0x01 0xEF 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@ImagePath \??\C:\Windows\system32\drivers\KuaiZipDrive.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@DisplayName KuaiZipDrive Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\KuaiZipDrive Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0x7F 0xEF 0xF2 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x2A 0x57 0xCE 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?czw.?, ?mar ?30 ?17, 04:41:55 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5310 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 963 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.25|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.25|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.25|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.25|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 53 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1133 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastTelemetryLog 0xC8 0x7C 0xF4 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bca426d1-cbaf-455a-bdf7-851dd4a53eb6}@LeaseObtainedTime 1490972701 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bca426d1-cbaf-455a-bdf7-851dd4a53eb6}@T1 1490994301 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bca426d1-cbaf-455a-bdf7-851dd4a53eb6}@T2 1491010501 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bca426d1-cbaf-455a-bdf7-851dd4a53eb6}@LeaseTerminatesTime 1491015901 Reg HKLM\SYSTEM\CurrentControlSet\Services\Thotkey\Parameters\Wdf@TimeOfLastTelemetryLog 0x94 0x46 0x39 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x94 0x46 0x39 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1B 0xA4 0xEC 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1B 0x0C 0xB1 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1B 0x3C 0x28 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x7D 0x13 0x54 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 13202 13208 13220 13230 13240 13260 13304 13314 13352 13358 13374 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 13380 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 13381 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 13202 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 13203 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastCriticalDownloadAttempt 0xB5 0xA0 0xEE 0x60 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\SystemProtected@DisableCAD 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastTaskOperationHandle 74 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe 0xC4 0xF3 0x07 0xDB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\Help 9\dexplore.exe 0xDA 0x93 0x8E 0xA3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\vsta.exe 0x85 0x6B 0xA7 0xAD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0xE6 0xFA 0x85 0xE3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\CorelDRW.exe 0x66 0x96 0x1A 0x03 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x17 0x11 0x54 0xFA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Mr. Robot\AppData\Local\Apps\Windows 7 USB DVD Download Tool\Windows7-USB-DVD-Download-Tool.exe 0xEB 0x49 0xF0 0x3E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Exact Audio Copy\Empty20.exe 0x37 0x22 0xD3 0x72 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Exact Audio Copy\EAC.exe 0x27 0xBB 0x5B 0xC9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x44 0x76 0x3D 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Mr. Robot\Downloads\Taskbar Color Effects\Taskbar Color Effects.exe 0xE6 0xEC 0x8A 0x44 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Blank ExplorerFrame\iPack_Installer.exe 0x94 0xD7 0xCF 0xD9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Mr. Robot\Downloads\TakeControl.exe 0x25 0x7D 0x29 0xC5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\backgroundTaskHost.exe 0xB0 0x58 0x9D 0xBB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\KMSpico\KMSELDI.exe 0x08 0xC3 0x4C 0xC0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\KMSpico\AutoPico.exe 0x0F 0xD8 0x2E 0x9D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\KMSpico\Service_KMS.exe 0xE1 0x7B 0x3B 0x2A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xB2 0x51 0xAE 0x69 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\explorer.exe 0x97 0x86 0xF3 0xE6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 0xD3 0xF3 0xA8 0x2F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.exe 0x16 0x09 0xC3 0x8A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe 0xFB 0x0F 0x3D 0x2D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\taskhostw.exe 0xD7 0x14 0xD5 0xCF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 0xF1 0x30 0x98 0x9F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x19 0xA4 0x1C 0xB4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x5D 0x4D 0xEA 0x20 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xAC 0xFF 0x59 0x88 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Mr. Robot\Downloads\Win10BGChanger1.2.1\GUI\W10 Logon BG Changer.exe 0x7B 0x98 0x56 0x2D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xFB 0x03 0xEF 0x0E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x28 0x92 0xF3 0xB3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\tzsync.exe 0x3F 0x00 0xB2 0x1F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\svchost.exe 0x18 0x99 0x26 0x78 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTelRunner.exe 0x9A 0xD7 0x41 0xD8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Windows\System32\backgroundTaskHost.exe 0xD0 0x03 0x1E 0xD7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Program Files\WindowsApps\Microsoft.Windows.Photos_16.526.11220.0_x86__8wekyb3d8bbwe\Microsoft.Photos.exe 0x77 0x7F 0x27 0xE7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x86__8wekyb3d8bbwe\Microsoft.Photos.exe 0x89 0x9C 0xDC 0x60 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Program Files\WindowsApps\Microsoft.WindowsStore_11608.1001.49.0_x86__8wekyb3d8bbwe\WinStore.Mobile.exe 0x87 0x45 0xB4 0x89 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x86__8wekyb3d8bbwe\Microsoft.Photos.exe 0xDF 0x9C 0xBF 0x88 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Program Files\WindowsApps\Microsoft.Windows.Photos_17.214.10010.0_x86__8wekyb3d8bbwe\Microsoft.Photos.exe 0x3D 0xF5 0x84 0x65 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@FBBBBC22 64 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{4AC0FE3A-0000-0000-0000-500600000000} 563966280 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@LastWatsonCabUploaded 0xCB 0xB3 0xF8 0xD6 ... ---- EOF - GMER 2.2 ----