GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-17 21:47:24 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST3500320AS rev.SD1A 465.76GB Running: uqn7wplu.exe; Driver: C:\DOCUME~1\Sally\LOCALS~1\Temp\pwlyapod.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA8A1CACC] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA8A1D5AA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwClose [0xA8A61881] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEvent [0xA8A29692] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA8A296DE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA8A29878] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateKey [0xA8A61235] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateMutant [0xA8A29600] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSection [0xA8A29722] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA8A29648] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateThread [0xA8A1DAE0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateTimer [0xA8A29832] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA8A1E398] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA8A1CB32] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteKey [0xA8A61F47] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA8A621FD] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA8A21BE4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA8A61DB2] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA8A61C1D] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwLoadDriver [0xA8A1C71E] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA8C6A506] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA8A1CB98] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA8A21FDA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA8A1EEDE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEvent [0xA8A296BC] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA8A29700] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA8A2989C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenKey [0xA8A61591] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenMutant [0xA8A29626] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenProcess [0xA8A214DE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSection [0xA8A297B0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA8A29670] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenThread [0xA8A218C6] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenTimer [0xA8A29856] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA8C6A2AA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryKey [0xA8A61A98] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryObject [0xA8A1ECF4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA8A618EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA8A1E84A] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwRenameKey [0xA8C78286] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwRestoreKey [0xA8A6087B] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA8A1CBFE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA8A1CC64] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetContextThread [0xA8A1E212] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA8A1C7B8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA8A1C98A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetValueKey [0xA8A6204E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA8A1C918] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA8A1E562] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendThread [0xA8A1E6C4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA8A1CA12] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA8A1E050] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateThread [0xA8A1E1F2] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwVdmControl [0xA8A1CCCA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA8A1D606] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes JMP A2A8A618 .text ntkrnlpa.exe!ZwCallbackReturn + 2F58 80504840 4 Bytes CALL D030F0E6 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [FE, CB, A1, A8, 64, CC, A1, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [62, E5, A1, A8, C4, E6, A1, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A8A1F5AF \??\C:\WINDOWS\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Bonjour\mDNSResponder.exe[304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[304] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[320] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[320] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[324] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[340] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[392] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[392] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[524] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[524] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe[680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe[680] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe[680] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\BT Common Client\btomosrv.exe[692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\BT Common Client\btomosrv.exe[692] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe[728] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\SYSTEM32\GEARSEC.EXE[816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\SYSTEM32\GEARSEC.EXE[816] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[820] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[912] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[912] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1000] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1032] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1032] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[1116] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[1116] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1200] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1200] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1208] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1208] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003701F8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003703FC .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215559 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9BB9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD1F5 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDC44 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254704 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E79A7 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E78D9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E7944 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E77AA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E780C C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E7A0A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E786E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] ole32.dll!CoCreateInstance 774FF1D4 5 Bytes JMP 3E2EDCA0 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1324] ole32.dll!OleLoadFromStream 7752988B 5 Bytes JMP 3E3E7D0F C:\WINDOWS\system32\IEFRAME.dll .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\notepad.exe[1480] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\notepad.exe[1480] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1564] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1564] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[1608] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1628] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1628] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1648] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1648] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1940] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1940] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1984] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1984] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[2012] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[2012] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[2036] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[2036] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\MsPMSPSv.exe[2052] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\MsPMSPSv.exe[2052] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AirPrint\airprint.exe[2112] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AirPrint\airprint.exe[2112] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[2184] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[2184] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 90, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 93, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 90, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 91, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9103AA .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 92, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 91, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 92, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91041B .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 90, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910549 .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 91, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 92, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 93, 2D, 00] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 007401F8 .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 007403FC .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2232] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2268] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2268] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\REALTEK\RTL8185 Wireless LAN Utility\RtWLan.exe[2576] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\REALTEK\RTL8185 Wireless LAN Utility\RtWLan.exe[2576] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2816] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003801F8 .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2972] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2972] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003803FC .text C:\Documents and Settings\Sally\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2972] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\NOTEPAD.EXE[3108] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\NOTEPAD.EXE[3108] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003701F8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003703FC .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215559 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDC44 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E79A7 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E78D9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E7944 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E77AA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E780C C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E7A0A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3128] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E786E C:\WINDOWS\system32\IEFRAME.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3440] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3440] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Sally\Desktop\lot.exe[3532] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Sally\Desktop\lot.exe[3532] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Sally\Desktop\uqn7wplu.exe[3956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Sally\Desktop\uqn7wplu.exe[3956] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[4004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[4004] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[4040] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[4040] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\notepad.exe[4056] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\notepad.exe[4056] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[324] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002 IAT C:\WINDOWS\system32\services.exe[324] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys Device \FileSystem\Cdfs \Cdfs A72DA400 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0F 0x4C 0x3D 0x98 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xB1 0xCE 0xE2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4D 0x96 0x00 0xB7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0F 0x4C 0x3D 0x98 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4D 0x96 0x00 0xB7 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4D 0x96 0x00 0xB7 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4D 0x96 0x00 0xB7 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4D 0x96 0x00 0xB7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4D 0x96 0x00 0xB7 ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x92 0x1E 0xEF 0xBF ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x56 0xE3 0x00 0x72 ... Reg HKLM\SOFTWARE\Classes\CLSID\{087F3405-C50C-733B-1D4C-B82680176732}\AutoConvertTo@ {0002CE02-0000-0000-C000-000000000046} Reg HKLM\SOFTWARE\Classes\CLSID\{087F3405-C50C-733B-1D4C-B82680176732}\NotInsertable@ Reg HKLM\SOFTWARE\Classes\CLSID\{087F3405-C50C-733B-1D4C-B82680176732}\Ole1Class@ Equation Reg HKLM\SOFTWARE\Classes\CLSID\{087F3405-C50C-733B-1D4C-B82680176732}\ProgID@ Equation Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\AuxUserType\2 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\AuxUserType\2@ Sound Recorder Document Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\AuxUserType\3 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\AuxUserType\3@ Microsoft Sound Recorder Server Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\DefaultFile Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\DefaultFile@ 12 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\DefaultSet Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\DefaultSet@ SoundRec Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\GetSet Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\GetSet\0 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\GetSet\0@ 3,1,32,1 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\GetSet\1 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\DataFormats\GetSet\1@ 8,-1,1,3 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}@ Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}@ Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\InprocHandler32@ ole32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\Insertable@ Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\LocalServer@ sndrec32.exe Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\LocalServer32@ sndrec32.exe Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\MiscStatus@ 0 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\PersistentHandler@ {098f2470-bae0-11cd-b579-08002b30bfeb} Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\ProgID@ SoundRec Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\verb\0 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\verb\0@ &Play,0,3 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\verb\1 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\verb\1@ &Edit,0,2 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\verb\2 Reg HKLM\SOFTWARE\Classes\CLSID\{4FED0344-3AEA-8BD4-B455-1990AE7C334F}\verb\2@ &Open,0,2 Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\InprocServer32@ C:\WINDOWS\system32\lmrt.dll Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\InprocServer32@ThreadingModel Both Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\MiscStatus@ 0 Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\MiscStatus\1 Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\MiscStatus\1@ 131473 Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\ToolboxBitmap32@ C:\WINDOWS\system32\lmrt.dll, 1 Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\TypeLib@ {183C2598-0480-11d1-87EA-00C04FC29D46} Reg HKLM\SOFTWARE\Classes\CLSID\{FD77C8EE-6FFB-7E2C-3CF9-0E4232225D4A}\Version@ 1.0.0115 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----