GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-10-30 13:35:26 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6B200P0 rev.BAH41E00 Running: 0sn79h24.exe; Driver: C:\DOCUME~1\Przemek\USTAWI~1\Temp\pwldqpoc.sys ---- System - GMER 1.0.15 ---- SSDT 896C8C90 ZwAssignProcessToJobObject SSDT sptd.sys ZwCreateKey [0xF74FEA50] SSDT 896C9200 ZwDebugActiveProcess SSDT 896C92F0 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF7532FFE] SSDT sptd.sys ZwEnumerateValueKey [0xF753338C] SSDT sptd.sys ZwOpenKey [0xF74FEA30] SSDT 896C8590 ZwOpenProcess SSDT 896C8800 ZwOpenThread SSDT 896C8FD0 ZwProtectVirtualMemory SSDT sptd.sys ZwQueryKey [0xF7533464] SSDT sptd.sys ZwQueryValueKey [0xF75332E4] SSDT 896C90E0 ZwQueueApcThread SSDT 896C8EC0 ZwSetContextThread SSDT 896C8D90 ZwSetInformationThread SSDT 896C5DA0 ZwSetSecurityObject SSDT sptd.sys ZwSetValueKey [0xF75334F6] SSDT 896C8B90 ZwSuspendProcess SSDT 896C8A80 ZwSuspendThread SSDT 896C86E0 ZwTerminateProcess SSDT 896C8A50 ZwTerminateThread SSDT 896C96D0 ZwWriteVirtualMemory INT 0x62 ? 89C12CC8 INT 0x63 ? 899E4CC8 INT 0x82 ? 89C12CC8 INT 0x83 ? 899E4CC8 INT 0x83 ? 899E4CC8 INT 0xA4 ? 899E4CC8 INT 0xB4 ? 899E4CC8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwYieldExecution + 11A 804E4944 4 Bytes [50, EA, 4F, F7] .text ntoskrnl.exe!ZwYieldExecution + 252 804E4A7C 4 Bytes JMP F46EF74F .text sptd.sys F74C4000 4 Bytes [A6, 6B, 70, 80] .text sptd.sys F74C4005 27 Bytes [19, 70, 80, 30, 18, 70, 80, ...] .text sptd.sys F74C4024 4 Bytes [74, 6F, 4B, F7] .text sptd.sys F74C402C 28 Bytes [C2, AE, 57, 80, E5, 6B, 59, ...] .text sptd.sys F74C4049 395 Bytes [19, 4E, 80, 75, BD, 50, 80, ...] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF75BBD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8335360, 0x24526E, 0xE8000020] .text USBPORT.SYS!DllUnload B83158AC 5 Bytes JMP 899E41D8 .text ay7ykdz6.SYS B8013306 74 Bytes [00, 00, 00, 40, 03, 00, 40, ...] .text ay7ykdz6.SYS B8013351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ay7ykdz6.SYS B80133A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ay7ykdz6.SYS B80133B4 34 Bytes [40, 00, 00, C8, 50, 41, 47, ...] .text ay7ykdz6.SYS B80133D7 1 Byte [00] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 018D6340 .text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 018D58D0 .text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!NtLockProductActivationKeys 7C90D490 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 018D5A20 .text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 018D41B0 .text C:\WINDOWS\system32\winlogon.exe[580] kernel32.dll!MoveFileExW 7C835673 5 Bytes JMP 018D5630 .text C:\WINDOWS\system32\winlogon.exe[580] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[580] WS2_32.dll!send 71A54C27 5 Bytes JMP 018D5730 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[908] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] .text C:\WINDOWS\system32\userinit.exe[1136] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 009B6340 .text C:\WINDOWS\system32\userinit.exe[1136] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009B58D0 .text C:\WINDOWS\system32\userinit.exe[1136] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009B5A20 .text C:\WINDOWS\system32\userinit.exe[1136] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009B41B0 .text C:\WINDOWS\system32\userinit.exe[1136] kernel32.dll!MoveFileExW 7C835673 5 Bytes JMP 009B5630 .text C:\WINDOWS\system32\userinit.exe[1136] ws2_32.dll!send 71A54C27 5 Bytes JMP 009B5730 .text C:\WINDOWS\Explorer.EXE[1156] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 02856340 .text C:\WINDOWS\Explorer.EXE[1156] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 028558D0 .text C:\WINDOWS\Explorer.EXE[1156] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02855A20 .text C:\WINDOWS\Explorer.EXE[1156] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 028541B0 .text C:\WINDOWS\Explorer.EXE[1156] kernel32.dll!MoveFileExW 7C835673 5 Bytes JMP 02855630 .text C:\WINDOWS\Explorer.EXE[1156] WS2_32.dll!send 71A54C27 5 Bytes JMP 02855730 .text C:\WINDOWS\system32\taskmgr.exe[1424] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 000A6340 .text C:\WINDOWS\system32\taskmgr.exe[1424] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 000A58D0 .text C:\WINDOWS\system32\taskmgr.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 000A5A20 .text C:\WINDOWS\system32\taskmgr.exe[1424] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000A41B0 .text C:\WINDOWS\system32\taskmgr.exe[1424] kernel32.dll!MoveFileExW 7C835673 5 Bytes JMP 000A5630 .text C:\WINDOWS\system32\taskmgr.exe[1424] WS2_32.dll!send 71A54C27 5 Bytes JMP 000A5730 .text F:\0sn79h24.exe[1448] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00156340 .text F:\0sn79h24.exe[1448] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 001558D0 .text F:\0sn79h24.exe[1448] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00155A20 .text F:\0sn79h24.exe[1448] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001541B0 .text F:\0sn79h24.exe[1448] kernel32.dll!MoveFileExW 7C835673 5 Bytes JMP 00155630 .text F:\0sn79h24.exe[1448] ws2_32.dll!send 71A54C27 5 Bytes JMP 00155730 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89C15308 IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F74C5574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F74C50C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F74C5FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74C50C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74C5362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74C52A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74C61BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74C5FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 899E4308 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74DA312] sptd.sys IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoCreateDevice] F848E853 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoDetachDevice] 758B0001 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!ExFreePoolWithTag] 448E8D08 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoFreeWorkItem] 89000002 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoDeleteDevice] 15FFF84D IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeWaitForSingleObject] [B801400C] \SystemRoot\System32\Drivers\ay7ykdz6.SYS (USB Mass Storage Class Driver/Microsoft Corporation) IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeSetEvent] 02309E39 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!ObfReferenceObject] 45880000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 79840FFF IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 57000002 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 023C8E8B IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!NlsMbCodePageTag] CB3B0000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!RtlInitAnsiString] 0269840F IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!RtlInitUnicodeString] 868B0000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!sprintf] 00000240 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoFreeIrp] 0230968B IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoCancelIrp] 45890000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoAllocateIrp] 34868BF0 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeInitializeEvent] 89000002 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoSetCompletionRoutineEx] FF40F445 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoInitializeTimer] 0002388E IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IofCallDriver] 02FA8300 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 0238BE8B IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoSetStartIoAttributes] 86890000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoStartPacket] 00000234 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!PoRequestPowerIrp] 3B495675 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoStopTimer] 3C8E89FB IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoStartTimer] 0F000002 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00008485 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoReleaseCancelSpinLock] BEF98100 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeRemoveEntryDeviceQueue] 77000000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoQueueWorkItem] 3C9E8908 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoFreeMdl] EB000002 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 00BE0521 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoAllocateMdl] C1810000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] FFFFFF42 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!memmove] 02348689 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 86C70000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00000238 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoBuildPartialMdl] 00000006 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoAcquireCancelSpinLock] 023C8E89 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeTickCount] 868B0000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeBugCheckEx] 0000023C IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IofCompleteRequest] 02388639 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoStartNextPacket] 45760000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 02388689 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!PoCallDriver] 3DEB0000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 7503FA83 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 75FB3B31 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!KeInitializeSpinLock] 90F98134 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!ZwClose] 77000000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!MmHighestUserAddress] 3C9E8908 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] EB000002 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[HAL.dll!KeGetCurrentIrql] 830C4D8A IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[HAL.dll!KfAcquireSpinLock] 0001CCB8 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[HAL.dll!KfReleaseSpinLock] 48880000 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[HAL.dll!KfRaiseIrql] C0940F68 IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[HAL.dll!KfLowerIrql] 8B55C35D IAT \SystemRoot\System32\Drivers\ay7ykdz6.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 458D5653 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89C111F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \FileSystem\Fastfat \FatCdrom 895891F8 Device \Driver\usbuhci \Device\USBPDO-0 89A971F8 Device \Driver\usbuhci \Device\USBPDO-1 89A971F8 Device \Driver\usbuhci \Device\USBPDO-2 89A971F8 Device \Driver\usbuhci \Device\USBPDO-3 89A971F8 Device \Driver\usbehci \Device\USBPDO-4 89A80430 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\Cdrom \Device\CdRom0 899A1430 Device \Driver\atapi \Device\Ide\IdePort0 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7838B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 899A1430 Device \Driver\Cdrom \Device\CdRom2 899A1430 Device \Driver\PCI_PNP2406 \Device\0000003b sptd.sys Device \Driver\PCI_PNP2406 \Device\0000003b sptd.sys Device \Driver\usbuhci \Device\USBFDO-0 89A971F8 Device \Driver\usbuhci \Device\USBFDO-1 89A971F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89991430 Device \Driver\usbuhci \Device\USBFDO-2 89A971F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89991430 Device \Driver\usbuhci \Device\USBFDO-3 89A971F8 Device \Driver\usbehci \Device\USBFDO-4 89A80430 Device \Driver\ay7ykdz6 \Device\Scsi\ay7ykdz61Port2Path0Target0Lun0 89A71430 Device \Driver\ay7ykdz6 \Device\Scsi\ay7ykdz61 89A71430 Device \FileSystem\Fastfat \Fat 895891F8 AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) Device \FileSystem\Cdfs \Cdfs 89997430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0x3C 0x73 0xBD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x50 0x97 0xC6 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0xB7 0xE0 0x9F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0x3C 0x73 0xBD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x50 0x97 0xC6 0xAD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0xB7 0xE0 0x9F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@hwtvsh.exe C:\Documents and Settings\Przemek\Dane aplikacji\hwtvsh.exe Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Przemek\Dane aplikacji\hwtvsh.exe Auerbach Jim McKeeBernstein Louvre GerardNeil AeolusBenny ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Przemek\Dane aplikacji\hwtvsh.exe 160768 bytes executable ---- EOF - GMER 1.0.15 ----