GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-08-14 00:02:14 Windows 6.1.7600 Running: cg894ful.exe; Driver: H:\Users\ANDRZEJ\AppData\Local\Temp\pgldrpob.sys ---- System - GMER 1.0.15 ---- INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83632AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83632104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836323F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8361B2D8 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8361A898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836321DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83632958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836326F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83632F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836331A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8324B599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8326FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text H:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x8F438000, 0x2ECEB2, 0xE8000020] .text peauth.sys 9D967C9D 28 Bytes [15, C6, BD, 73, ED, CF, 3B, ...] .text peauth.sys 9D967CC1 28 Bytes [15, C6, BD, 73, ED, CF, 3B, ...] ---- User code sections - GMER 1.0.15 ---- .text H:\Downloads\PeerBlock_r181__Win32_Release_(Vista)\peerblock.exe[4124] kernel32.dll!SetUnhandledExceptionFilter 76BF3162 5 Bytes JMP 0043F0C0 H:\Downloads\PeerBlock_r181__Win32_Release_(Vista)\peerblock.exe (PeerBlock/PeerBlock, LLC) .text H:\Program Files\Mozilla Firefox\firefox.exe[5528] ntdll.dll!LdrLoadDll 7742F625 5 Bytes JMP 010613F0 H:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74162494] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74145624] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741456E2] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7416250F] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74158573] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74154D27] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741550CE] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741551A3] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [741566D0] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741582CA] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74158819] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7415907A] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7415E21D] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\Explorer.EXE[2144] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74154C59] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT H:\Windows\System32\rundll32.exe[3336] @ H:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Windows\System32\rundll32.exe[3336] @ H:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Windows\System32\rundll32.exe[3336] @ H:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Windows\System32\rundll32.exe[3336] @ H:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Windows\System32\rundll32.exe[3336] @ H:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3528] @ H:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3528] @ H:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3528] @ H:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3528] @ H:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3528] @ H:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3528] @ H:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75475E25] H:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000071 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001583144005 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,0????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider@InputProvider 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider@DllName %SystemRoot%\System32\vmictimeprovider.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\VMICTimeProvider\Parameters Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001583144005 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,0????????????????? Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\VMICTimeProvider (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\VMICTimeProvider@Enabled 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\VMICTimeProvider@InputProvider 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\VMICTimeProvider@DllName %SystemRoot%\System32\vmictimeprovider.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\VMICTimeProvider\Parameters (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 89ED5DD60C63A0ECCA34C562B3B2594C9029B90F8383FDA67E67638487140DCD33694BA138BFC4A79124AB036A905D80EA9E93901BEA125F699EDF220A4386704FECF6B21B60E9068CA1E9A19838F61A9C004D06325245EEB568F210DC3EDA3ACA556F7DF71C265ADD68EA9AC4B1AEA41C0DCBD43211A73FD02322DCF2D0CB8AA7BE74DBE44E889FBA77CF30CC89FC537245AD485D8741D8B8EFA8FC10C90B66F78E7E09CBD612716B93EA87DE50CF7CBF6E438EC8148EEB82367247CFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5C9DB7CE019D40AA5C2180CBC63F697E45D7C0EC10D638664A5C12F61A54B5B70A612A6DF4A99991CB9AC4882A3081B08FE4B60AAD4D6892257CC82E1EBC662696C1601F5553C58EDC130008C8E66CF86DAE132638380C790EAE0A7AB3712502818BC600E4B6E1637B32D779B542325FEAAD88493B9448CA985DB75D7B32574403380B287BF3AC6F222468AE9DE10ECB6B603D9DD6A4F61AA978A4F92A031348A5C84F5500709AF7239B3C1DBD2CF210A0C7CC72BCEE25DFF9EF9A188829A14FC8C0A667F0D3D2A720CA595EE74A83DB166AC63B34BD95F419BDD324F131827E9D281C63DF09AF0B91ECB2B00428194726D12D8D1A1F3D1AE75A80A ---- EOF - GMER 1.0.15 ----