GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-19 21:54:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP3T1L0-a OCZ-AGILITY3 rev.2.15 111,79GB Running: m57g1hli.exe; Driver: x:\temp\Temp\uxldipog.sys ---- Kernel code sections - GMER 2.1 ---- PAGE C:\Windows\system32\drivers\PCIIDEX.SYS!DllUnload fffff88000feea50 12 bytes {MOV RAX, 0xfffffa80054c72a0; JMP RAX} PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000c744a0 12 bytes {MOV RAX, 0xfffffa80054bc2a0; JMP RAX} .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88007b88d8c 12 bytes {MOV RAX, 0xfffffa8006b0b2a0; JMP RAX} .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001b4100 7 bytes [C0, 92, F3, FF, 01, 9C, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 9 fffff960001b4109 2 bytes [06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[1560] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000719a1a22 2 bytes [9A, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000719a1ad0 2 bytes [9A, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000719a1b08 2 bytes [9A, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000719a1bba 2 bytes [9A, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000719a1bda 2 bytes [9A, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2616] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2616] C:\Windows\system32\WS2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2616] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2616] C:\Windows\system32\WS2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2628] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2628] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2628] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2628] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2740] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 00000000761830aa 7 bytes JMP 00000001001c0095 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2740] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000076186bd8 7 bytes JMP 00000001001c002d .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2740] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000076187142 7 bytes JMP 00000001001c00c9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2740] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 000000007618cc3a 7 bytes JMP 00000001001c0061 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2780] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2780] C:\Windows\system32\WS2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2780] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2780] C:\Windows\system32\WS2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2948] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2948] C:\Windows\system32\WS2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2948] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2948] C:\Windows\system32\WS2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\Wallpaper Changer\WallPaper.exe[1840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Wallpaper Changer\WallPaper.exe[1840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files\PeerBlock\peerblock.exe[2756] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077289b80 13 bytes {MOV R11, 0x13f71c920; JMP R11} .text C:\Program Files\PeerBlock\peerblock.exe[2756] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\PeerBlock\peerblock.exe[2756] C:\Windows\system32\WS2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\PeerBlock\peerblock.exe[2756] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\PeerBlock\peerblock.exe[2756] C:\Windows\system32\WS2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007768000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007770f8ea 5 bytes JMP 00000001776bd5c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 00000000761830aa 7 bytes JMP 0000000100b60095 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000076186bd8 7 bytes JMP 0000000100b6002d .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000076187142 7 bytes JMP 0000000100b600c9 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 000000007618cc3a 7 bytes JMP 0000000100b60061 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3076] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3076] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3076] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[3076] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 000000006f2a13c6 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 000000006f2a13f6 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 000000006f2a14ad 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 000000006f2a14db 2 bytes [2A, 6F] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 000000006f2a1577 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 000000006f2a15d7 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 000000006f2a1794 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 000000006f2a18c1 2 bytes [2A, 6F] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Windows\SysWOW64\rundll32.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcb0 5 bytes JMP 00000001003a091c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007768fe14 5 bytes JMP 00000001003a0048 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007768fea8 5 bytes JMP 00000001003a02ee .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690004 5 bytes JMP 00000001003a04b2 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077690038 5 bytes JMP 00000001003a09fe .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077690068 5 bytes JMP 00000001003a0ae0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690084 5 bytes JMP 0000000100020050 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007769079c 5 bytes JMP 00000001003a012a .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769088c 5 bytes JMP 00000001003a0758 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908a4 5 bytes JMP 00000001003a0676 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690df4 5 bytes JMP 00000001003a03d0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077691920 5 bytes JMP 00000001003a0594 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691be4 5 bytes JMP 00000001003a083a .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077691d70 5 bytes JMP 00000001003a020c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076221492 7 bytes JMP 00000001003e04bc .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007616524f 7 bytes JMP 00000001003a0f52 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000761653d0 7 bytes JMP 00000001003e0210 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076165677 1 byte JMP 00000001003e0048 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076165679 5 bytes {JMP 0xffffffff8a27a9d1} .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007616589a 7 bytes JMP 00000001003a0ca6 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076165a1d 7 bytes JMP 00000001003e03d8 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076165c9b 7 bytes JMP 00000001003e012c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076165d87 7 bytes JMP 00000001003e02f4 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076167240 7 bytes JMP 00000001003a0e6e .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[1492] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[1492] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[1492] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[1492] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4128] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4128] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4128] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4128] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[4308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Users\tds\Videos\napsnap.exe[1052] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Users\tds\Videos\napsnap.exe[1052] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe[4184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe[4184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Users\tds\Videos\mfcmifc.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Users\tds\Videos\mfcmifc.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Windows\system32\conhost.exe[5336] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\conhost.exe[5336] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\conhost.exe[5336] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\conhost.exe[5336] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1424] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075502aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 .text C:\Windows\notepad.exe[2052] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe9645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\notepad.exe[2052] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe969480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\notepad.exe[2052] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe98e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\notepad.exe[2052] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe98e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007768fcb0 5 bytes JMP 00000001002a091c .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007768fe14 5 bytes JMP 00000001002a0048 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007768fea8 5 bytes JMP 00000001002a02ee .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077690004 5 bytes JMP 00000001002a04b2 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077690038 5 bytes JMP 00000001002a09fe .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077690068 5 bytes JMP 00000001002a0ae0 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077690084 5 bytes JMP 0000000100020050 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007769079c 5 bytes JMP 00000001002a012a .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007769088c 5 bytes JMP 00000001002a0758 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776908a4 5 bytes JMP 00000001002a0676 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077690df4 5 bytes JMP 00000001002a03d0 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077691920 5 bytes JMP 00000001002a0594 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077691be4 5 bytes JMP 00000001002a083a .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077691d70 5 bytes JMP 00000001002a020c .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007616524f 7 bytes JMP 00000001002a0f52 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000761653d0 7 bytes JMP 00000001002b0210 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076165677 1 byte JMP 00000001002b0048 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076165679 5 bytes {JMP 0xffffffff8a14a9d1} .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007616589a 7 bytes JMP 00000001002a0ca6 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076165a1d 7 bytes JMP 00000001002b03d8 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076165c9b 7 bytes JMP 00000001002b012c .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076165d87 7 bytes JMP 00000001002b02f4 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076167240 7 bytes JMP 00000001002a0e6e .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076221492 7 bytes JMP 00000001002b04bc .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d51465 2 bytes [D5, 75] .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[3152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d514bb 2 bytes [D5, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800105cf1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800105ccc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800105d69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800105da98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800105d8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-a fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-7 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-6 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80054de2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80054de2c0 Device \FileSystem\Ntfs \Ntfs fffffa80055ce2c0 Device \Driver\dtsoftbus01 \Device\0000007a fffffa8005ece2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8006b2d2c0 Device \Driver\dtsoftbus01 \Device\00000078 fffffa8005ece2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8006b0d2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8006b2d2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8006b0d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8005f6c2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8005f6c2c0 Device \Driver\cdrom \Device\CdRom2 fffffa8005f6c2c0 Device \Driver\cdrom \Device\CdRom3 fffffa8005f6c2c0 Device \Driver\USBSTOR \Device\000000a0 fffffa8005eef2c0 Device \Driver\cdrom \Device\CdRom4 fffffa8005f6c2c0 Device \Driver\dtsoftbus01 \Device\00000079 fffffa8005ece2c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8006b0d2c0 Device \Driver\USBSTOR \Device\0000009f fffffa8005eef2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8006b0d2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8006b0d2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8006b0d2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8005ece2c0 Device \Driver\USBSTOR \Device\000000ab fffffa8005eef2c0 Device \Driver\USBSTOR \Device\000000a9 fffffa8005eef2c0 Device \Driver\USBSTOR \Device\000000a1 fffffa8005eef2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8006b2d2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8006b0d2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8006b2d2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8006b0d2c0 Device \Driver\USBSTOR \Device\000000a2 fffffa8005eef2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80060e82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FD87BF39-C542-486A-8F8D-945CC03965ED} fffffa80060e82c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8006b0d2c0 Device \Driver\dtsoftbus01 \Device\00000077 fffffa8005ece2c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8006b0d2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80054de2c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8006b0d2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8006b0d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80054de2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80054de2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80054de2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80054de2c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80054de2c0 Device \Driver\USBSTOR \Device\000000a3 fffffa8005eef2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80054de2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80054de2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk3\DR3[0xfffffa8005d69060] fffffa8005d69060 Trace 3 CLASSPNP.SYS[fffff88000c2943f] -> nt!IofCallDriver -> [0xfffffa8005b2a580] fffffa8005b2a580 Trace 5 ACPI.sys[fffff880011ab7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T1L0-a[0xfffffa8005b2e060] fffffa8005b2e060 Trace \Driver\atapi[0xfffffa80056225d0] -> IRP_MJ_CREATE -> 0xfffffa80054de2c0 fffffa80054de2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBD 0x81 0xC7 0x48 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x00 0xB2 0xB9 0xB4 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x77 0x50 0x02 0x9F ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x76 0x23 0x58 0x6E ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0xDA 0x41 0xE0 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0xD7 0xC8 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0xC0 0xB6 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xCC 0x46 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF1 0xC3 0x19 0x10 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0xC0 0xB6 0x99 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xCC 0x46 0xC0 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF1 0xC3 0x19 0x10 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\tds\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Contrast\Microsoft\xae Windows\xae Operating System.lnk 1 ---- EOF - GMER 2.1 ----