GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-19 15:49:53 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.14.0 Running: gmer.exe; Driver: C:\Users\Dom\AppData\Local\Temp\kftdapog.sys ---- System - GMER 1.0.15 ---- INT 0x51 ? 854B7CC8 INT 0x51 ? 86E01CC8 INT 0x51 ? 86E01CC8 INT 0x51 ? 854B7CC8 INT 0x62 ? 86E01CC8 INT 0x82 ? 86E01CC8 INT 0x92 ? 86E01CC8 INT 0xA2 ? 86E01CC8 INT 0xB1 ? 854B2F00 INT 0xB1 ? 854B2F00 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\sptd.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 8E53AA8D 5 Bytes JMP 86E011D8 .text atk5b91q.SYS 8F96B000 47 Bytes [82, C3, 21, 82, 6C, C2, 21, ...] .text atk5b91q.SYS 8F96B030 182 Bytes [6F, 12, 33, 82, F0, 67, 29, ...] .text atk5b91q.SYS 8F96B0E7 31 Bytes [00, 38, 0F, 00, 00, 00, 00, ...] .text atk5b91q.SYS 8F96B107 224 Bytes [56, 09, 18, 08, DA, 0A, 9C, ...] .text atk5b91q.SYS 8F96B1E8 253 Bytes [5D, F8, 5C, 3A, 5E, 7C, 5F, ...] .text ... .text a90yah4h.SYS 8F9A4000 47 Bytes [82, C3, 21, 82, 6C, C2, 21, ...] .text a90yah4h.SYS 8F9A4030 13 Bytes [F0, D7, 28, 82, 65, F0, 26, ...] .text a90yah4h.SYS 8F9A403E 134 Bytes [2F, 82, E0, E9, 2E, 82, 60, ...] .text a90yah4h.SYS 8F9A40C6 17 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP} .text a90yah4h.SYS 8F9A40D8 14 Bytes [00, 00, 00, 00, 02, 00, 00, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3892] kernel32.dll!SetUnhandledExceptionFilter 76D9A8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Mozilla Firefox\firefox.exe[4548] ntdll.dll!LdrLoadDll 77D49378 5 Bytes JMP 64F5A650 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4548] kernel32.dll!HeapSetInformation + 26 76D9A8C0 7 Bytes JMP 64F5EDB3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4548] kernel32.dll!LockResource + C 76DB6B0B 7 Bytes JMP 65197DF7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4548] kernel32.dll!VirtualAllocEx + 54 76DBAF70 7 Bytes JMP 65197E1A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!SetStretchBltMode + 256 7670745C 7 Bytes JMP 65197D78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5924] USER32.dll!InSendMessageEx + 4C9 77C8E7C8 7 Bytes JMP 6526ADE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5924] USER32.dll!CreateWindowExW + AA 77C913AF 7 Bytes JMP 6526AD6F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5924] USER32.dll!GetWindowInfo 77C9428E 5 Bytes JMP 650B47EC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5924] USER32.dll!SetMenuItemBitmaps + 71 77CA14EE 7 Bytes JMP 650B4E1E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A8312] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[HAL.dll!KfAcquireSpinLock] 00000099 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[HAL.dll!KfReleaseSpinLock] 000000B0 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[storport.sys!StorPortPauseDevice] 000000BB IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[storport.sys!StorPortResumeDevice] 00000016 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[storport.sys!StorPortInitialize] 00006300 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[storport.sys!StorPortNotification] 00007C00 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[TDI.SYS!TdiDeregisterPnPHandlers] 0000F200 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[TDI.SYS!TdiRegisterPnPHandlers] 00006B00 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[NETIO.SYS!WskDeregister] 0000C500 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[NETIO.SYS!WskReleaseProviderNPI] 00003000 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[NETIO.SYS!WskRegister] 00000100 IAT \SystemRoot\System32\Drivers\atk5b91q.SYS[NETIO.SYS!WskCaptureProviderNPI] 00006700 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[HAL.dll!KfAcquireSpinLock] 00005500 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[HAL.dll!KfReleaseSpinLock] 00008C00 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[storport.sys!StorPortPauseDevice] 00008900 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[storport.sys!StorPortResumeDevice] 00000D00 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[storport.sys!StorPortInitialize] 0000BF00 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[storport.sys!StorPortNotification] 0000E600 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[TDI.SYS!TdiDeregisterPnPHandlers] 00004100 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[TDI.SYS!TdiRegisterPnPHandlers] 00009900 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[NETIO.SYS!WskDeregister] 00000F00 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[NETIO.SYS!WskReleaseProviderNPI] 0000B000 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[NETIO.SYS!WskRegister] 00005400 IAT \SystemRoot\System32\Drivers\a90yah4h.SYS[NETIO.SYS!WskCaptureProviderNPI] 0000BB00 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74BF7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C3B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74BFBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74BEF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74BF75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74BEE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74C273F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74BFDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74BEFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74BEFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74BE71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C7CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74C1C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74BED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74BE6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74BE687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3580] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74BF2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 854B81F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-0 8700D1F8 Device \Driver\usbuhci \Device\USBPDO-1 8700D1F8 Device \Driver\usbuhci \Device\USBPDO-2 8700D1F8 Device \Driver\usbehci \Device\USBPDO-3 8700E1F8 Device \Driver\usbuhci \Device\USBPDO-4 8700D1F8 Device \Driver\usbuhci \Device\USBPDO-5 8700D1F8 Device \Driver\usbuhci \Device\USBPDO-6 8700D1F8 Device \Driver\usbehci \Device\USBPDO-7 8700E1F8 Device \Driver\cdrom \Device\CdRom0 86EE71F8 Device \Driver\cdrom \Device\CdRom1 86EE71F8 Device \Driver\iaStor \Device\Ide\iaStor0 [8A3000B0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8A3000B0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8A3000B0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\netbt \Device\NetBT_Tcpip_{F8E20C70-E20E-4E36-AECC-C00B36E92707} 89D141F8 Device \Driver\cdrom \Device\CdRom2 86EE71F8 Device \Driver\netbt \Device\NetBt_Wins_Export 89D141F8 Device \Driver\Smb \Device\NetbiosSmb 89D251F8 Device \Driver\PCI_PNP8612 \Device\0000004c sptd.sys Device \Driver\PCI_PNP8612 \Device\0000004c sptd.sys Device \Driver\PCI_PNP8612 \Device\0000004d sptd.sys Device \Driver\PCI_PNP8612 \Device\0000004d sptd.sys Device \Driver\iScsiPrt \Device\RaidPort0 86EE91F8 Device \Driver\netbt \Device\NetBT_Tcpip_{B001098F-001E-45A9-B017-E1657D7DD981} 89D141F8 Device \Driver\usbuhci \Device\USBFDO-0 8700D1F8 Device \Driver\usbuhci \Device\USBFDO-1 8700D1F8 Device \Driver\usbuhci \Device\USBFDO-2 8700D1F8 Device \Driver\usbehci \Device\USBFDO-3 8700E1F8 Device \Driver\usbuhci \Device\USBFDO-4 8700D1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{636606DB-4A35-412B-92A9-9BADFF1CA831} 89D141F8 Device \Driver\usbuhci \Device\USBFDO-5 8700D1F8 Device \Driver\usbuhci \Device\USBFDO-6 8700D1F8 Device \Driver\usbehci \Device\USBFDO-7 8700E1F8 Device \Driver\atk5b91q \Device\Scsi\atk5b91q1 8712F430 Device \Driver\a90yah4h \Device\Scsi\a90yah4h1Port3Path0Target0Lun0 86F571F8 Device \Driver\a90yah4h \Device\Scsi\a90yah4h1 86F571F8 Device \Driver\atk5b91q \Device\Scsi\atk5b91q1Port2Path0Target0Lun0 8712F430 Device \FileSystem\cdfs \Cdfs B44D41F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAC 0x18 0x02 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x92 0x6E 0x46 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0E 0x47 0xCA 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6B 0x32 0x7A 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD9 0x68 0xFB 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0x80 0x1A 0x18 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAC 0x18 0x02 0x93 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x92 0x6E 0x46 0x96 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0E 0x47 0xCA 0x2D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6B 0x32 0x7A 0x43 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD9 0x68 0xFB 0xBE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0x80 0x1A 0x18 ... ---- Files - GMER 1.0.15 ---- File C:\RRbackups\C 0 bytes File C:\RRbackups\common 0 bytes File C:\RRbackups\common\backups.dat 8192 bytes File C:\RRbackups\common\bmgrmode.dat 29 bytes File C:\RRbackups\common\css.dat 8192 bytes File C:\RRbackups\common\hints.dat 8192 bytes File C:\RRbackups\common\mnd.dat 8192 bytes File C:\RRbackups\common\regcerts.dat 8192 bytes File C:\RRbackups\common\restore.log 110 bytes File C:\RRbackups\common\rr.log 103073 bytes File C:\RRbackups\common\rr_bcdenum.dat 4617 bytes File C:\RRbackups\common\SAM 262144 bytes File C:\RRbackups\common\seccache.dat 8192 bytes File C:\RRbackups\common\secpolicy.dat 20480 bytes File C:\RRbackups\common\settings.dat 32768 bytes File C:\RRbackups\common\system.dat 12288 bytes File C:\RRbackups\common\tvtcmn.dat 8192 bytes File C:\RRbackups\common\usersids.dat 14560 bytes File C:\RRbackups\Documents and Settings 0 bytes File C:\RRbackups\Documents and Settings\Administrator 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Dom 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\216e89749feef86aa7ed5f731c2c61ec_65768d38-f0e7-4e13-9669-db03c21bfbfc 44 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\3a679951e6f2eb81b341c95e9ffe4a25_65768d38-f0e7-4e13-9669-db03c21bfbfc 77 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\5550e7cb640347345a345c63aa7a6848_65768d38-f0e7-4e13-9669-db03c21bfbfc 59 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\62a45886e06c7d046ea8b819bec0598a_65768d38-f0e7-4e13-9669-db03c21bfbfc 45 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\6b29ae44e85efac3c72ff4d1865d73f1_65768d38-f0e7-4e13-9669-db03c21bfbfc 53 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\83aa4cc77f591dfc2374580bbd95f6ba_65768d38-f0e7-4e13-9669-db03c21bfbfc 45 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2579762865-1940111946-1283946872-1003\8f71098770f72c7a67cd8f1151619865_65768d38-f0e7-4e13-9669-db03c21bfbfc 54 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\08eb9690-92a7-4682-a1c6-f42cc6f1dcf2 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\1cde6a84-87a0-4951-a7af-4d94b38d4036 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\4d3dab6e-a2b6-4cf2-a6be-b6fa68685837 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\5207849a-92dc-4413-990b-bcb9bddaf5af 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\b81f9de3-8cfd-4cd8-8b7b-2246ad183103 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\bdbcbf8b-9e1b-49ab-b487-973d8028a162 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\c01e3d52-59ca-4c9b-8ba9-478e53eb664f 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\c62d0ad0-f6e7-4016-8dd9-226f43e172fb 388 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\Protect\S-1-5-21-2579762865-1940111946-1283946872-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Dom\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\ProgramData 0 bytes File C:\RRbackups\ProgramData\Lenovo 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\ProgramData\Microsoft 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\404b466b6bfefd5de0c0a19f33336d46_65768d38-f0e7-4e13-9669-db03c21bfbfc 1765 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\3a679951e6f2eb81b341c95e9ffe4a25_65768d38-f0e7-4e13-9669-db03c21bfbfc 77 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4a83060920cae32caf902bed48d1fdd9_65768d38-f0e7-4e13-9669-db03c21bfbfc 58 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_65768d38-f0e7-4e13-9669-db03c21bfbfc 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_65768d38-f0e7-4e13-9669-db03c21bfbfc 47 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_65768d38-f0e7-4e13-9669-db03c21bfbfc 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_65768d38-f0e7-4e13-9669-db03c21bfbfc 54 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\94348ade95b67e8f2e884ed7b348b833_65768d38-f0e7-4e13-9669-db03c21bfbfc 59 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_65768d38-f0e7-4e13-9669-db03c21bfbfc 899 bytes ---- EOF - GMER 1.0.15 ----