GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-15 13:51:13 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: 9gqpi5s5.exe; Driver: C:\Users\user\AppData\Local\Temp\kwtdapob.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwAddBootEntry [0x90A8D546] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwAlpcConnectPort [0x90A8DAA8] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwAlpcSendWaitReceivePort [0x90A8FBA4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9033C5AE] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwConnectPort [0x90A8EBC2] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEvent [0x903485E0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEventPair [0x9034862C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x903487C6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateMutant [0x9034854E] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwCreateSection [0x90A8E842] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x90348596] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwCreateThread [0x90A8CDAA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateTimer [0x90348780] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9033D39C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeleteBootEntry [0x90A8D5B2] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeleteFile [0x90A8DC80] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeviceIoControlFile [0x90A8CE86] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDuplicateObject [0x90A8D1EA] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwFsControlFile [0x90A8DC20] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateClientOfPort [0x90A8DBE6] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateThread [0x90A8DBA4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwLoadDriver [0x90A8F6CE] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwMapViewOfSection [0x90A8F532] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwModifyBootEntry [0x90A8D57C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x90340F28] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9033DE2C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEvent [0x9034860A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEventPair [0x9034864E] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x903487EA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenMutant [0x90348574] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenProcess [0x90A8E9D0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenSection [0x90A8E3C8] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x903485BE] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenThread [0x90A8EAB6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenTimer [0x903487A4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwProtectVirtualMemory [0x90A8E48C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueryObject [0x9033DCF8] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwQueueApcThread [0x90A8CF44] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwReplaceKey [0x90A8D6D4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwRequestWaitReplyPort [0x90A8FA74] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwRestoreKey [0x90A8D61E] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSecureConnectPort [0x90A8ECAC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9033BC02] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetBootOptions [0x90A8D5E8] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetContextThread [0x90A8CFA8] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetInformationFile [0x90A8DCE4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetSystemInformation [0x90A8E71A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9033B98E] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwShutdownSystem [0x90A8D4FE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9033D566] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendThread [0x9033D6C8] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSystemDebugControl [0x90A8D01A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwTerminateProcess [0x90A85000] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwTerminateThread [0x90A85023] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwVdmControl [0x9033BCCE] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwWriteVirtualMemory [0x90A8F788] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwCreateThreadEx [0x90A8DF0E] INT 0x51 ? 8556ACB8 INT 0x51 ? 8556ACB8 INT 0x51 ? 8556ACB8 INT 0x51 ? 8556ACB8 INT 0x51 ? 87070F00 INT 0x51 ? 87070F00 INT 0x51 ? 8556ACB8 INT 0x62 ? 87070F00 INT 0x82 ? 87070F00 INT 0x92 ? 87070F00 INT 0xA2 ? 87070F00 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10E 82AE2759 3 Bytes [D5, A8, 90] {AAD 0xa8; NOP } .text ntkrnlpa.exe!KeSetEvent + 13D 82AE2788 4 Bytes [A8, DA, A8, 90] {TEST AL, 0xda; TEST AL, 0x90} .text ntkrnlpa.exe!KeSetEvent + 181 82AE27CC 4 Bytes [A4, FB, A8, 90] {MOVSB ; STI ; TEST AL, 0x90} .text ntkrnlpa.exe!KeSetEvent + 191 82AE27DC 4 Bytes [AE, C5, 33, 90] {SCASB ; LDS ESI, [EBX]; NOP } .text ntkrnlpa.exe!KeSetEvent + 1C1 82AE280C 4 Bytes [C2, EB, A8, 90] {RET 0xa8eb; NOP } .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82C7000F 4 Bytes CALL 9033E513 \??\C:\Windows\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82C73C83 4 Bytes CALL 9033E529 \??\C:\Windows\system32\drivers\aswSnx.sys .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x80744774] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F00C000, 0x1FA4DA, 0xE8000020] .hgjhgj1˙˙˙˙SpySheltentry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x90B0E40F] C:\Program Files\SpyShelter Personal Free\SpyShelter.sys entry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x90B0E40F] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[216] kernel32.dll!GetBinaryTypeW + 70 76DE2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[424] kernel32.dll!GetBinaryTypeW + 70 76DE2447 1 Byte [62] .text C:\Windows\system32\csrss.exe[644] KERNEL32.dll!GetBinaryTypeW + 70 76DE2447 1 Byte [62] .text C:\Windows\system32\wininit.exe[704] kernel32.dll!GetBinaryTypeW + 70 76DE2447 1 Byte [62] .text C:\Windows\system32\csrss.exe[716] KERNEL32.dll!GetBinaryTypeW + 70 76DE2447 1 Byte [62] .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00240002 IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00240000 IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A07817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A4B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A0BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74A373F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74A0DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74A8CB00] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74A2C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[3388] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A02AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 855711F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys Device \Driver\netbt \Device\NetBT_Tcpip_{95CA2C3C-FD56-41BD-9E43-42896D123BC9} 89BB8440 AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\usbuhci \Device\USBPDO-0 86F781F8 Device \Driver\usbuhci \Device\USBPDO-1 86F781F8 Device \Driver\usbuhci \Device\USBPDO-2 86F781F8 Device \Driver\usbehci \Device\USBPDO-3 86F7A1F8 Device \Driver\usbuhci \Device\USBPDO-4 86F781F8 AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys Device \Driver\usbuhci \Device\USBPDO-5 86F781F8 Device \Driver\usbuhci \Device\USBPDO-6 86F781F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 ambakdrv.sys Device \Driver\usbehci \Device\USBPDO-7 86F7A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 ambakdrv.sys Device \Driver\cdrom \Device\CdRom0 86F851F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 855701F8 Device \Driver\atapi \Device\Ide\IdePort0 855701F8 Device \Driver\atapi \Device\Ide\IdePort1 855701F8 Device \Driver\atapi \Device\Ide\IdePort2 855701F8 Device \Driver\atapi \Device\Ide\IdePort3 855701F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 855701F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 ambakdrv.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 ambakdrv.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 ambakdrv.sys Device \Driver\netbt \Device\NetBT_Tcpip_{5D8AFAF8-2BAF-4411-9602-09BD707EE9C8} 89BB8440 Device \Driver\netbt \Device\NetBt_Wins_Export 89BB8440 Device \Driver\Smb \Device\NetbiosSmb 89B4C1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{28D2A77B-C764-4A30-9B21-2B6F8BFDD6E0} 89BB8440 Device \Driver\iScsiPrt \Device\RaidPort0 86F811F8 AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys Device \Driver\usbuhci \Device\USBFDO-0 86F781F8 Device \Driver\usbuhci \Device\USBFDO-1 86F781F8 Device \Driver\usbuhci \Device\USBFDO-2 86F781F8 Device \Driver\usbehci \Device\USBFDO-3 86F7A1F8 Device \Driver\usbuhci \Device\USBFDO-4 86F781F8 Device \Driver\usbuhci \Device\USBFDO-5 86F781F8 Device \Driver\usbuhci \Device\USBFDO-6 86F781F8 Device \Driver\usbehci \Device\USBFDO-7 86F7A1F8 Device \FileSystem\cdfs \Cdfs 8AB2D1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x855701f8]<< 855701f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86825ac8] 86825ac8 Trace 3 CLASSPNP.SYS[8b3c38b3] -> nt!IofCallDriver -> [0x85f62918] 85f62918 Trace 5 acpi.sys[807686bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85faa5e0] 85faa5e0 Trace \Driver\atapi[0x85f68ab0] -> IRP_MJ_CREATE -> 0x855701f8 855701f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243a1c024 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002243a1c024@001a45bc6a48 0xAC 0x02 0xFF 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0x34 0xF1 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002243a1c024 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002243a1c024@001a45bc6a48 0xAC 0x02 0xFF 0xE8 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0x34 0xF1 0xD2 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODI05.00.00.01PRO F99D2ADFA9531C94947A6E50246A977CF6E5A0BCABDCBC3D29FED2A3AC41C14FDEA2EAD3A7BFB5711DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A9C6AECB7A5D1407A6A0AC4980AC7933A2D97226D213B55570A2FD7ED5DF804DDFEF8DA5372EC45233AFEB36E2DF2E4D9546D2DA60431F27FA4347E60FAEB2C0BE138888895A2892CE7D13D1950B72146178AB88A80846F9C6467CCD78634846BCE8469121163E9F5EDF2054D06257011B3A40C29314853544F560111D00DDA222B02A38B065136C272BB4741211FDD4A114931B86D6AE850A2F77BF6AD81613603D59ABD1253DE01247391B39960A45742670D9CB14168D53658B20B417164609773D4CFE0050592832D7690BC4A1FAB79EDFF9906514E2FB1FA9A730B6085D53D805311779E8A69CF801AFAEC2719236C434ACE4B4851087762285F7881A7198F123A25EE5248B4043E575320A289CDBF00154C042CB129B980B9A0CB3FB8C5AE4CC1E7A7126400E480074856CFA203A119E087A22CADC804ABC78CBAD64AE3A69FBD4F99714719FD2899CFC8920150525A894D1BBEAD5A65FD46A80C38EC9FECBF02EC9AC993F35C4018FD15A546816C4FE7866CB98551EC234EC5319B4459369AAC13D53E4BDB312AAA41E28577B6A96C6673F60C6AB9DF3012E51201 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001 0 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage 0 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage\C 0 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage\C\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage\C\Windows\Prefetch 0 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage\C\Windows\Prefetch\FIREFOX.EXE-0900FF54.pf 23482 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage\C\Windows\Prefetch\FIREFOX.EXE-82622768.pf 14724 bytes File C:\avast! sandbox\S-1-5-21-405362096-3759355950-1882576851-1001\webStorage\snx_fs.dat 4436 bytes File C:\avast! sandbox\snx_rhive 12288 bytes File C:\avast! sandbox\snx_rhive.LOG1 9216 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{12921065-6e39-11e3-92dd-002354169f02}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{12921065-6e39-11e3-92dd-002354169f02}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{12921065-6e39-11e3-92dd-002354169f02}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----