GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-14 20:02:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10JPVX-22JC3T0 rev.01.01A01 931,51GB Running: 67sl15o8.exe; Driver: C:\Users\User\AppData\Local\Temp\awddapob.sys ---- Kernel code sections - GMER 2.1 ---- PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000fe34a0 12 bytes {MOV RAX, 0xfffffa80041222a0; JMP RAX} .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880066b5d8c 12 bytes {MOV RAX, 0xfffffa8005b902a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 166 000000002f661afc 2 bytes [66, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!KiUserExceptionDispatcher 0000000077990124 5 bytes JMP 00000001001c0bf8 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007799fb68 5 bytes JMP 00000001001c0a2c .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007799fc90 5 bytes JMP 00000001001c0946 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007799fe54 5 bytes JMP 00000001001c05ac .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007799ffe4 5 bytes JMP 00000001001c0778 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779a00f4 5 bytes JMP 00000001001c0b12 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779a0854 5 bytes JMP 00000001001c03e0 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779a08e4 5 bytes JMP 00000001001c04c6 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779a095c 5 bytes JMP 00000001001c0214 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!RtlRandomEx + 97 00000000779c4e98 7 bytes JMP 00000001001c02fa .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\SysWOW64\ntdll.dll!RtlGetFrame + 245 0000000077a1ff6f 7 bytes JMP 00000001001c085e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA + 568 0000000075fb1038 7 bytes JMP 00000001001a04c6 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!CreateProcessW + 48 0000000075fb106d 7 bytes JMP 00000001001b0214 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!CreateEventW + 19 0000000075fb1831 7 bytes JMP 00000001001a02fa .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!DuplicateHandle + 102 0000000075fb18cc 7 bytes JMP 00000001001a03e0 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!MapViewOfFile + 19 0000000075fb18e4 7 bytes JMP 00000001001b03e0 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!ReadFile + 132 0000000075fb3f17 7 bytes JMP 00000001001a012e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000075fb4322 7 bytes JMP 00000001001a0692 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!DisableThreadLibraryCalls + 41 0000000075fb48d6 7 bytes JMP 00000001001a0cdc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA + 19 0000000075fb48ee 7 bytes JMP 00000001001a0a2a .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!GetModuleFileNameW + 8 0000000075fb4920 7 bytes JMP 00000001001a0778 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!GetSystemInfo + 8 0000000075fb499a 7 bytes JMP 00000001001a0ea8 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!LoadLibraryA + 81 0000000075fb49f0 7 bytes JMP 00000001001a0944 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!CreateMutexA + 19 0000000075fb4c46 7 bytes JMP 00000001001a0bf6 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!GetFileInformationByHandle + 19 0000000075fb5389 7 bytes JMP 00000001001a0dc2 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!FindNextFileW + 19 0000000075fb54c9 7 bytes JMP 00000001001b02fa .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fb8791 5 bytes JMP 00000001534c53fc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!OpenFile + 435 0000000075fca4a2 7 bytes JMP 00000001001a0214 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!SetProcessPriorityBoost + 48 0000000075fcd993 7 bytes JMP 00000001001b0048 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!VirtualFreeEx + 19 0000000075fcd9c3 7 bytes JMP 00000001001a085e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 0000000075fceb7d 7 bytes JMP 00000001001a0048 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!SetMessageWaitingIndicator + 200 00000000760331a4 7 bytes JMP 00000001001a0b10 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!CreatePipe + 11 000000007603485e 7 bytes JMP 00000001001a05ac .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000076034cb2 7 bytes JMP 00000001001b012e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!CreateFileMappingNumaW 00000000760be6fc 5 bytes JMP 00000001001b0692 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!CreateFileMappingW 00000000760be82b 5 bytes JMP 00000001001b0b10 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!MapViewOfFile 00000000760beb31 5 bytes JMP 00000001001b0bf6 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!MapViewOfFileEx 00000000760bebca 5 bytes JMP 00000001001b085e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000760beca6 5 bytes JMP 00000001001c0048 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!VirtualProtectEx 00000000760bee9c 5 bytes JMP 00000001001b0944 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!VirtualAllocEx 00000000760bef65 5 bytes JMP 00000001001b0cdc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!VirtualProtect 00000000760befc3 5 bytes JMP 00000001001b0778 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!VirtualAlloc 00000000760bf002 5 bytes JMP 00000001001b05ac .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 00000000760c2cdf 5 bytes JMP 00000001001c012e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000760c3e7e 5 bytes JMP 00000001001b0ea8 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 00000000760c54af 5 bytes JMP 00000001001b0dc2 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\KERNELBASE.dll!CreateFileW 00000000760cc29f 5 bytes JMP 00000001001b0a2a .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075636143 5 bytes JMP 0000000153f8f68e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075af3e59 5 bytes JMP 00000001534f10b7 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075af3eae 5 bytes JMP 00000001534fb0be .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075af4731 5 bytes JMP 000000015352b5dc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075af5dee 5 bytes JMP 000000015352c50f .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[6368] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 331 000000007664e74b 7 bytes JMP 00000001001c0ea6 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880011125b0] \SystemRoot\System32\Drivers\spik.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800111253c] \SystemRoot\System32\Drivers\spik.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d735c] \SystemRoot\System32\Drivers\spik.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d7224] \SystemRoot\System32\Drivers\spik.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d7a24] \SystemRoot\System32\Drivers\spik.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d7ba0] \SystemRoot\System32\Drivers\spik.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8004f122c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8004f122c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8004f122c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8004f122c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8004f122c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8004f122c0 Device \Driver\awaygi6h \Device\Scsi\awaygi6h1 fffffa8005a722c0 Device \Driver\awaygi6h \Device\Scsi\awaygi6h1Port4Path0Target0Lun0 fffffa8005a722c0 Device \FileSystem\Ntfs \Ntfs fffffa8004f182c0 Device \FileSystem\fastfat \Fat fffffa8004c642c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{31C029DC-1AF5-41F0-9A64-C2D164A09AA3} fffffa80058382c0 Device \Driver\USBSTOR \Device\0000009a fffffa8004c8c2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80063672c0 Device \Driver\cdrom \Device\CdRom0 fffffa800563d2c0 Device \Driver\cdrom \Device\CdRom1 fffffa800563d2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80063672c0 Device \Driver\USBSTOR \Device\00000099 fffffa8004c8c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B5026AB8-267C-407C-8AF3-4E3B695483C4} fffffa80058382c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80063672c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa800412d2c0 Device \Driver\volmgr \Device\FtControl fffffa800412d2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa800412d2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa800412d2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa800412d2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa800412d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80058382c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8004f122c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80063672c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8004f122c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8004f122c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8004f122c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8946BD0C-CBCC-4818-8C08-6FFBB66D033E} fffffa80058382c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E6E80BE2-F03C-4DA0-B4A0-45498790C702} fffffa80058382c0 Device \Driver\awaygi6h \Device\ScsiPort4 fffffa8005a722c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys >>UNKNOWN [0xfffffa8004f122c0]<< spik.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8004f122c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005343060] fffffa8005343060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa80051d1b10] fffffa80051d1b10 Trace 5 hpdskflt.sys[fffff88001be4189] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800508c060] fffffa800508c060 Trace \Driver\atapi[0xfffffa800502c420] -> IRP_MJ_CREATE -> 0xfffffa8004f122c0 fffffa8004f122c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\awaygi6h.SYS fffff88004ad4000-fffff88004b18000 (278528 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [2400:2760] 000007fefda4a808 Thread C:\Windows\system32\svchost.exe [2400:2832] 000007fef73f6e5c Thread C:\Windows\system32\svchost.exe [2400:2044] 000007fef73f5708 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{38EE0F59-74A1-469B-864A-F14E9C5BCE7A}\Connection@Name isatap.{B5026AB8-267C-407C-8AF3-4E3B695483C4} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{1AF63D57-80B7-4DF3-8872-4C09EDDBC3C0}?\Device\{CCD87EEB-25A0-4A79-93C1-7089008100E1}?\Device\{EBADA770-9579-4D3C-A72D-223C3D1BFBDD}?\Device\{38EE0F59-74A1-469B-864A-F14E9C5BCE7A}?\Device\{F1A5701B-E2BB-429E-AB67-1198B753DCC1}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{1AF63D57-80B7-4DF3-8872-4C09EDDBC3C0}"?"{CCD87EEB-25A0-4A79-93C1-7089008100E1}"?"{EBADA770-9579-4D3C-A72D-223C3D1BFBDD}"?"{38EE0F59-74A1-469B-864A-F14E9C5BCE7A}"?"{F1A5701B-E2BB-429E-AB67-1198B753DCC1}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{1AF63D57-80B7-4DF3-8872-4C09EDDBC3C0}?\Device\TCPIP6TUNNEL_{CCD87EEB-25A0-4A79-93C1-7089008100E1}?\Device\TCPIP6TUNNEL_{EBADA770-9579-4D3C-A72D-223C3D1BFBDD}?\Device\TCPIP6TUNNEL_{38EE0F59-74A1-469B-864A-F14E9C5BCE7A}?\Device\TCPIP6TUNNEL_{F1A5701B-E2BB-429E-AB67-1198B753DCC1}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3952c37ce Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3952c37ce@980d2e27ca11 0x66 0x2C 0x23 0xC3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3952c37ce@18879600feb1 0x4F 0xF5 0x8D 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{38EE0F59-74A1-469B-864A-F14E9C5BCE7A}@InterfaceName isatap.{B5026AB8-267C-407C-8AF3-4E3B695483C4} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{38EE0F59-74A1-469B-864A-F14E9C5BCE7A}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x02 0x3D 0xCF 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 d:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x69 0x7B 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x88 0x53 0x33 0x11 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3952c37ce (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3952c37ce@980d2e27ca11 0x66 0x2C 0x23 0xC3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3952c37ce@18879600feb1 0x4F 0xF5 0x8D 0x6B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x02 0x3D 0xCF 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 d:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x69 0x7B 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x88 0x53 0x33 0x11 ... ---- EOF - GMER 2.1 ----