GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-05 00:42:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AR1 698,64GB Running: 6wmfj30p.exe; Driver: C:\Users\tru\AppData\Local\Temp\pwdyipog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88005628d8c 12 bytes {MOV RAX, 0xfffffa80070852a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text D:\Program Files\Kaspersky Lab\Kaspersky Internet Security Technical Preview 16.0.0\avp.exe[1976] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077c6fab8 5 bytes JMP 00000000752428e0 .text D:\Program Files\Kaspersky Lab\Kaspersky Internet Security Technical Preview 16.0.0\avp.exe[1976] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c70048 5 bytes JMP 00000000752428a0 .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077a71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077a712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077a71434 8 bytes [50, 6E, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077a717be 8 bytes [40, 6E, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077a719c4 8 bytes [30, 6E, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077a71aa4 8 bytes [20, 6E, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077a71c25 8 bytes [10, 6E, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077a71d8f 8 bytes [00, 6E, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077a71e75 8 bytes [F0, 6D, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077a720d8 8 bytes [E0, 6D, EF, FF, 00, 00, 00, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077abbc00 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077abbd80 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077abbdb0 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077abbed0 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077abbf80 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077abc5b0 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077abc800 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077abd060 8 bytes JMP 3f3f3f3f .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007527146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[3600] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075271a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077a71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077a712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077a71434 8 bytes [50, DE, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077a717be 8 bytes [40, DE, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077a719c4 8 bytes [30, DE, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077a71aa4 8 bytes [20, DE, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077a71c25 8 bytes [10, DE, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077a71d8f 8 bytes [00, DE, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077a71e75 8 bytes [F0, DD, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077a720d8 8 bytes [E0, DD, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077abbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077abbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077abbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077abbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077abbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077abc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077abc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077abd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007527146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4628] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075271a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077a71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077a712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077a71434 8 bytes [50, 0E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077a717be 8 bytes [40, 0E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077a719c4 8 bytes [30, 0E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077a71aa4 8 bytes [20, 0E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077a71c25 8 bytes [10, 0E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077a71d8f 8 bytes [00, 0E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077a71e75 8 bytes [F0, 0D, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077a720d8 8 bytes [E0, 0D, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077abbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077abbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077abbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077abbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077abbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077abc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077abc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077abd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007527146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4736] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075271a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077a71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077a712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077a71434 8 bytes [50, 4E, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077a717be 8 bytes [40, 4E, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077a719c4 8 bytes [30, 4E, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077a71aa4 8 bytes [20, 4E, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077a71c25 8 bytes [10, 4E, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077a71d8f 8 bytes [00, 4E, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077a71e75 8 bytes [F0, 4D, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077a720d8 8 bytes [E0, 4D, EA, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077abbc00 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077abbd80 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077abbdb0 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077abbed0 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077abbf80 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077abc5b0 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077abc800 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077abd060 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007527146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[2824] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075271a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077a71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077a712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077a71434 8 bytes [50, 5E, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077a717be 8 bytes [40, 5E, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077a719c4 8 bytes [30, 5E, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077a71aa4 8 bytes [20, 5E, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077a71c25 8 bytes [10, 5E, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077a71d8f 8 bytes [00, 5E, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077a71e75 8 bytes [F0, 5D, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077a720d8 8 bytes [E0, 5D, EE, FF, 00, 00, 00, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077abbc00 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077abbd80 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077abbdb0 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077abbed0 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077abbf80 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077abc5b0 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077abc800 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077abd060 8 bytes JMP 3f3f3f3f .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007527146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Program Files\Mozilla Firefox\firefox.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075271a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077a71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077a712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077a71434 8 bytes {PUSH RAX; JMP 0x82} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077a717be 8 bytes {JMP 0x82} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077a719c4 8 bytes [30, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077a71aa4 8 bytes [20, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077a71c25 8 bytes [10, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077a71d8f 8 bytes [00, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077a71e75 8 bytes {JMP 0x82} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077a720d8 8 bytes {LOOPNZ 0x4f; JMP 0x82} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077abbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077abbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077abbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077abbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077abbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077abc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077abc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077abd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007527146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Desktop\6wmfj30p.exe[4792] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075271a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800189ef1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800189ecc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800189f69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800189fa98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800189f8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortStallExecution] [ffffb0a015ff5024] [unknown section] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [fffffa60e8cb8b48] [unknown section] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [fff9c3e8d2330000] [unknown section] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [fffa47e8cb8b48ff] [unknown section] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [?] IAT C:\windows\System32\Drivers\aa9hm8na.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004afaad8] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Devices - GMER 2.2 ---- Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 fffffa80049dd2c0 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 fffffa80049dd2c0 Device \Driver\iaStor \Device\Ide\iaStor0 fffffa80049dd2c0 Device \Driver\aa9hm8na \Device\Scsi\aa9hm8na1Port2Path0Target0Lun0 fffffa800725d2c0 Device \Driver\aa9hm8na \Device\Scsi\aa9hm8na1 fffffa800725d2c0 Device \FileSystem\Ntfs \Ntfs fffffa80049e82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{552475B7-27CD-455D-A28E-6C5E62BDA92E} fffffa8006f612c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006fb32c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006bc02c0 Device \Driver\cdrom \Device\CdRom1 fffffa8006bc02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D134C524-BAB0-4A99-B2CE-351057E1081F} fffffa8006f612c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006fb32c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80072f42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DBB55178-39E2-4BDB-9124-FF680BD2ACDB} fffffa8006f612c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006fb32c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006f612c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1DA34F3B-A734-462D-A4AC-1040E50AE925} fffffa8006f612c0 Device \Driver\iaStor \Device\ScsiPort0 fffffa80049dd2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006fb32c0 Device \Driver\aa9hm8na \Device\ScsiPort2 fffffa800725d2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80049dd2c0]<< sptd.sys iaStor.sys hal.dll fffffa80049dd2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006a34060] fffffa8006a34060 Trace 3 CLASSPNP.SYS[fffff8800220143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004e40050] fffffa8004e40050 Trace \Driver\iaStor[0xfffffa8004a385f0] -> IRP_MJ_CREATE -> 0xfffffa80049dd2c0 fffffa80049dd2c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\aa9hm8na.SYS (MS AHCI 1.0 Standard Driver/Microsoft Corporation SIGNED)(2010-11-21 03:23:47) fffff88004958000-fffff880049a9000 (331776 bytes) ---- Threads - GMER 2.2 ---- Thread C:\windows\SysWOW64\ntdll.dll [3284:3164] 000000000038315b Thread C:\windows\SysWOW64\ntdll.dll [3284:2964] 00000000739be820 Thread C:\windows\SysWOW64\ntdll.dll [3284:3448] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:3032] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:3036] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:3040] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:1340] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:1752] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:2512] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:4236] 0000000070700dc7 Thread C:\windows\SysWOW64\ntdll.dll [3284:4272] 00000000707b36af Thread C:\windows\SysWOW64\ntdll.dll [3284:3720] 00000000707b36af Thread C:\windows\SysWOW64\ntdll.dll [3284:2888] 0000000073c3c59c Thread C:\windows\SysWOW64\ntdll.dll [3284:4928] 000000006aa1b73e Thread C:\windows\SysWOW64\ntdll.dll [3284:688] 00000000707b36af Thread C:\windows\SysWOW64\ntdll.dll [3284:4160] 0000000074a87810 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:3192] 00000000775a7587 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:4136] 000000006d467712 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:4456] 0000000077ca1697 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:4380] 0000000077ca7ad8 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:1924] 0000000077ca7ad8 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:5136] 0000000077ca7ad8 ---- Processes - GMER 2.2 ---- Library D:\Program Files\FileZilla FTP Client\fzshellext_64.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [2260] 0000000180000000 Library D:\Program Files\FileZilla FTP Client\fzshellext_64.dll (*** suspicious ***) @ C:\windows\explorer.exe [2848] 0000000180000000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532e003e75 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f59338f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305284bf4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305284bf4@001c3550a1b1 0xEA 0x01 0xFA 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305284bf4@1c66aaea063a 0x44 0xF7 0xB5 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305284bf4@b84fd5006385 0x34 0x0B 0xB3 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ????l?????0??????-??0f??? ??????????????s????o?w?????o??ClosePerformanceData?????o???o??????????????ClosePerformanceData??????????????????????0????????????????????????is??)?????N??m???A?????DLo???l?????l????? ???????l?????l???????0????????????????????? ???????l???????????>?0????????????????????? ???????n?????????????,????????J?D????????????????n???????l????? ???????l?????l???????0????????????????????? ???????l???????????>?0????????????????????? ???????l?????l???????0????????????????????????v??????l????? ???????l?????l???????0???????????????????????l???l???l???l???l???l???l???l????????????????? ???????l???????????>?0???????????????????????????????l????? ???????j?????l???????,??????????v?????????????? ???????l?????l???????,??"?????h???????????? ???????p???????????????????????????????s??? ???????p?????????????0???????????????????????l?&??? ???????l???????????>?0????????*????????????????????-??00???????l???f??34??????0??????l???p???l?;?l???l???l???l???l???l???l???l????? ???????p?????~??????????L???????????????????X??n??????????????????? ???????l???????????i??????????????&???????????????????????? ???????l???????????i????? Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCB 0x38 0x12 0xA4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6A 0x4D 0xC6 0xF1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x76 0x10 0x09 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4A 0xA8 0xBF 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEE 0x6A 0x6B 0x10 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x36 0xAF 0x18 0xEA ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----