GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-31 11:07:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: p1mdy7tt.exe; Driver: C:\Users\Wojtek\AppData\Local\Temp\pxriqkow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800037eb000 64 bytes [00, 00, 00, 00, CD, 4F, AD, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 610 fffff800037eb042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010008091c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100080048 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001000802ee .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001000804b2 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001000809fe .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100080ae0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010008012a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100080758 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100080676 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001000803d0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100080594 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010008083a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010008020c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100080f52 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 0000000100090210 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 0000000100090048 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff89d7a9d1} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100080ca6 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001000903d8 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 000000010009012c .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001000902f4 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100080e6e .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 00000001000904bc .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010024091c .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100240048 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001002402ee .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001002404b2 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001002409fe .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100240ae0 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010024012a .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100240758 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100240676 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001002403d0 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100240594 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010024083a .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010024020c .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100240f52 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 0000000100250210 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 0000000100250048 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff89f3a9d1} .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100240ca6 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001002503d8 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 000000010025012c .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001002502f4 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100240e6e .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[1900] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 00000001002504bc .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010026091c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100260048 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001002602ee .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001002604b2 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001002609fe .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100260ae0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010024004c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010026012a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100260758 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100260676 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001002603d0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100260594 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010026083a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010026020c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100260f52 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 0000000100330210 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 0000000100330048 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff8a01a9d1} .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100260ca6 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001003303d8 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 000000010033012c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001003302f4 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100260e6e .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 000000010033059e .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e01465 2 bytes [E0, 74] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e014bb 2 bytes [E0, 74] .text ... * 2 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010024091c .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100240048 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001002402ee .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001002404b2 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001002409fe .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100240ae0 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010024012a .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100240758 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100240676 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001002403d0 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100240594 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010024083a .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010024020c .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e01465 2 bytes [E0, 74] .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e014bb 2 bytes [E0, 74] .text ... * 2 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100240f52 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 0000000100250210 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 0000000100250048 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff89f3a9d1} .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100240ca6 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001002503d8 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 000000010025012c .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001002502f4 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100240e6e .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[3048] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 00000001002504bc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010025091c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100250048 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001002502ee .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001002504b2 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001002509fe .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100250ae0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010003004c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010025012a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100250758 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100250676 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001002503d0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100250594 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010025083a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010025020c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 000000010026059e .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100250f52 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 0000000100260210 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 0000000100260048 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff89f4a9d1} .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100250ca6 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001002603d8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 000000010026012c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001002602f4 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3752] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100250e6e .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010029091c .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100290048 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001002902ee .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001002904b2 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001002909fe .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100290ae0 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010002004c .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010029012a .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100290758 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100290676 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001002903d0 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100290594 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010029083a .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010029020c .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100290f52 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 00000001002a0210 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 00000001002a0048 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff89f8a9d1} .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100290ca6 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001002a03d8 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 00000001002a012c .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001002a02f4 .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100290e6e .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 00000001002a059e .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e01465 2 bytes [E0, 74] .text c:\program files (x86)\common files\java\java update\jusched.exe[3864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e014bb 2 bytes [E0, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 00000001003a091c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 00000001003a0048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001003a02ee .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001003a04b2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001003a09fe .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 00000001003a0ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 00000001003a012a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 00000001003a0758 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 00000001003a0676 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001003a03d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 00000001003a0594 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 00000001003a083a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 00000001003a020c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 00000001003a0f52 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 00000001003b0210 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 00000001003b0048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff8a09a9d1} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 00000001003a0ca6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001003b03d8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 00000001003b012c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001003b02f4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 00000001003a0e6e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4476] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 00000001003b059e .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007736fcb0 5 bytes JMP 000000010029091c .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007736fe14 5 bytes JMP 0000000100290048 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007736fea8 5 bytes JMP 00000001002902ee .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077370004 5 bytes JMP 00000001002904b2 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077370038 5 bytes JMP 00000001002909fe .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077370068 5 bytes JMP 0000000100290ae0 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077370084 5 bytes JMP 000000010002004c .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007737079c 5 bytes JMP 000000010029012a .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007737088c 5 bytes JMP 0000000100290758 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773708a4 5 bytes JMP 0000000100290676 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077370df4 5 bytes JMP 00000001002903d0 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077371920 5 bytes JMP 0000000100290594 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077371be4 5 bytes JMP 000000010029083a .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077371d70 5 bytes JMP 000000010029020c .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007631524f 7 bytes JMP 0000000100290f52 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000763153d0 7 bytes JMP 00000001002a0210 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076315677 1 byte JMP 00000001002a0048 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076315679 5 bytes {JMP 0xffffffff89f8a9d1} .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007631589a 7 bytes JMP 0000000100290ca6 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076315a1d 7 bytes JMP 00000001002a03d8 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076315c9b 7 bytes JMP 00000001002a012c .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076315d87 7 bytes JMP 00000001002a02f4 .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076317240 7 bytes JMP 0000000100290e6e .text C:\Users\Wojtek\Downloads\p1mdy7tt.exe[1804] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c41492 7 bytes JMP 00000001002a04bc ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [2772:2776] 0000000000061c24 Thread C:\Windows\SysWOW64\ntdll.dll [2772:3636] 000000006633e54e Thread C:\Windows\SysWOW64\ntdll.dll [2772:4488] 00000000636e319b Thread C:\Windows\SysWOW64\ntdll.dll [2772:4496] 000000006378eec8 Thread C:\Windows\SysWOW64\ntdll.dll [2772:4504] 000000006378eec8 Thread C:\Windows\SysWOW64\ntdll.dll [2772:4500] 000000006378eec8 Thread C:\Windows\SysWOW64\ntdll.dll [2772:4568] 00000000647a86f9 Thread C:\Windows\SysWOW64\ntdll.dll [2772:1840] 0000000072781854 Thread C:\Windows\system32\taskhost.exe [4172:3552] 000000005c158e00 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 e:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x07 0x04 0x37 0xCA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x03 0x50 0x46 0x5A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5F 0x9E 0xFA 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x69 0x9F 0xBD 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x17 0xD7 0x67 0x65 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x78 0x72 0x40 0xB0 ... ---- EOF - GMER 2.1 ----