GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-16 07:27:00 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925082 rev.3.CM 232,89GB Running: usmx5nz6.exe; Driver: C:\Users\marek\AppData\Local\Temp\pwdoypog.sys ---- System - GMER 2.1 ---- INT 0x51 ? 85935BF8 INT 0x51 ? 87407F00 INT 0x51 ? 87407F00 INT 0x51 ? 85935BF8 INT 0x72 ? 87407F00 INT 0x82 ? 87407F00 INT 0x92 ? 87407F00 INT 0xA2 ? 87407F00 INT 0xA2 ? 87407F00 ---- Kernel code sections - GMER 2.1 ---- ? System32\Drivers\spiq.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EE01340, 0x3E9407, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[2384] kernel32.dll!CreateThread 75E8CBEE 5 Bytes JMP 6C40744B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!SetWindowsHookExW 75F287AD 5 Bytes JMP 6C442374 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!CallNextHookEx 75F28E3B 5 Bytes JMP 6C46769F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!UnhookWindowsHookEx 75F298DB 5 Bytes JMP 6C48E208 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!EnableWindow 75F2CD8B 5 Bytes JMP 6C449C7C C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DefWindowProcA 75F2DB88 7 Bytes JMP 6C409675 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!CreateWindowExA 75F2DC2A 5 Bytes JMP 6C41348B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!CreateWindowExW 75F31305 5 Bytes JMP 6C46FA4F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DefWindowProcW 75F403B4 7 Bytes JMP 6C467702 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxParamW 75F510B0 5 Bytes JMP 6C3A188B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxIndirectParamW 75F52EF5 5 Bytes JMP 6C5983CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxParamA 75F68152 5 Bytes JMP 6C598365 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!DialogBoxIndirectParamA 75F6847D 5 Bytes JMP 6C59842F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxIndirectA 75F7D4D9 5 Bytes JMP 6C5982EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxIndirectW 75F7D5D3 5 Bytes JMP 6C598273 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxExA 75F7D639 5 Bytes JMP 6C59820F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] USER32.dll!MessageBoxExW 75F7D65D 5 Bytes JMP 6C5981AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2384] ole32.dll!OleLoadFromStream 768A1E80 5 Bytes JMP 6C598B98 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CreateThread 75E8CBEE 5 Bytes JMP 6C40744B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!SetWindowsHookExW 75F287AD 5 Bytes JMP 6C442374 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!CallNextHookEx 75F28E3B 5 Bytes JMP 6C46769F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!UnhookWindowsHookEx 75F298DB 5 Bytes JMP 6C48E208 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!EnableWindow 75F2CD8B 5 Bytes JMP 6C449C7C C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!DefWindowProcA 75F2DB88 7 Bytes JMP 6C409675 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!CreateWindowExA 75F2DC2A 5 Bytes JMP 6C41348B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!CreateWindowExW 75F31305 5 Bytes JMP 6C46FA4F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!DefWindowProcW 75F403B4 7 Bytes JMP 6C467702 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!DialogBoxParamW 75F510B0 5 Bytes JMP 6C3A188B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!DialogBoxIndirectParamW 75F52EF5 5 Bytes JMP 6C5983CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!DialogBoxParamA 75F68152 5 Bytes JMP 6C598365 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!DialogBoxIndirectParamA 75F6847D 5 Bytes JMP 6C59842F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!MessageBoxIndirectA 75F7D4D9 5 Bytes JMP 6C5982EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!MessageBoxIndirectW 75F7D5D3 5 Bytes JMP 6C598273 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!MessageBoxExA 75F7D639 5 Bytes JMP 6C59820F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] USER32.dll!MessageBoxExW 75F7D65D 5 Bytes JMP 6C5981AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ole32.dll!OleLoadFromStream 768A1E80 5 Bytes JMP 6C598B98 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] kernel32.dll!CreateThread 75E8CBEE 5 Bytes JMP 6C40744B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!SetWindowsHookExW 75F287AD 5 Bytes JMP 6C442374 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!CallNextHookEx 75F28E3B 5 Bytes JMP 6C46769F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!UnhookWindowsHookEx 75F298DB 5 Bytes JMP 6C48E208 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!EnableWindow 75F2CD8B 5 Bytes JMP 6C449C7C C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DefWindowProcA 75F2DB88 7 Bytes JMP 6C409675 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!CreateWindowExA 75F2DC2A 5 Bytes JMP 6C41348B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!CreateWindowExW 75F31305 5 Bytes JMP 6C46FA4F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DefWindowProcW 75F403B4 7 Bytes JMP 6C467702 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxParamW 75F510B0 5 Bytes JMP 6C3A188B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxIndirectParamW 75F52EF5 5 Bytes JMP 6C5983CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxParamA 75F68152 5 Bytes JMP 6C598365 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxIndirectParamA 75F6847D 5 Bytes JMP 6C59842F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxIndirectA 75F7D4D9 5 Bytes JMP 6C5982EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxIndirectW 75F7D5D3 5 Bytes JMP 6C598273 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxExA 75F7D639 5 Bytes JMP 6C59820F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxExW 75F7D65D 5 Bytes JMP 6C5981AB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ole32.dll!OleLoadFromStream 768A1E80 5 Bytes JMP 6C598B98 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtCreateFile 777B4264 5 Bytes JMP 5FBFB8D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtFlushBuffersFile 777B4764 5 Bytes JMP 5FBF7B07 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtQueryFullAttributesFile 777B4C94 5 Bytes JMP 5FBF7820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtReadFile 777B4EC4 5 Bytes JMP 5FBF7A00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtReadFileScatter 777B4ED4 5 Bytes JMP 6044CCC0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtWriteFile 777B54D4 5 Bytes JMP 5FBFBFE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] ntdll.dll!NtWriteFileGather 777B54E4 5 Bytes JMP 6044CC6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] kernel32.dll!HeapSetInformation + 26 75E6A9B8 7 Bytes JMP 5FBF8236 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] kernel32.dll!LockResource + C 75E86BD3 7 Bytes JMP 60419E65 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] kernel32.dll!VirtualAllocEx + 54 75E8B030 7 Bytes JMP 60419E88 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] USER32.dll!GetWindowInfo 75F3428E 5 Bytes JMP 60327585 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3440] GDI32.dll!SetStretchBltMode + 256 7647745C 7 Bytes JMP 60419DE6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!EnableWindow 75F2CD8B 5 Bytes JMP 6C449C7C C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!DialogBoxParamW 75F510B0 5 Bytes JMP 6C3A188B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!DialogBoxIndirectParamW 75F52EF5 5 Bytes JMP 6C5983CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!DialogBoxParamA 75F68152 5 Bytes JMP 6C598365 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!DialogBoxIndirectParamA 75F6847D 5 Bytes JMP 6C59842F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!MessageBoxIndirectA 75F7D4D9 5 Bytes JMP 6C5982EC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!MessageBoxIndirectW 75F7D5D3 5 Bytes JMP 6C598273 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!MessageBoxExA 75F7D639 5 Bytes JMP 6C59820F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5868] USER32.dll!MessageBoxExW 75F7D65D 5 Bytes JMP 6C5981AB C:\Windows\system32\IEFRAME.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74CC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74D0B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74CCBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74CBF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74CC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74CBE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74CF73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74CCDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74CBFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74CBFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74CB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74D4CB12] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74CEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74CBD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74CB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74CB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[4084] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74CC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 859361F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\volmgr \Device\VolMgrControl 859331F8 Device \Driver\usbuhci \Device\USBPDO-0 874441F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iastor.sys spiq.sys >>UNKNOWN [0x858ed938]<< 858ed938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86a37150] 86a37150 Trace 3 CLASSPNP.SYS[8adc48b3] -> nt!IofCallDriver -> [0x85a15308] 85a15308 Trace 5 acpi.sys[805bb6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8599c028] 8599c028 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x33 0xFB 0x39 0x27 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x33 0xFB 0x39 0x27 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9B592DB4091045C40BE8336ACE9A22FD\Usage@ThinkVantage_Access_Con 1156532547 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E8962673FD9E8DD4991F18290D8FEE60\Usage@MainFeature 1156570715 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\RRbackups\C 0 bytes File C:\RRbackups\common 0 bytes File C:\RRbackups\common\backups.dat 8192 bytes File C:\RRbackups\common\bmgrmode.dat 29 bytes File C:\RRbackups\common\css.dat 8192 bytes File C:\RRbackups\common\hints.dat 8192 bytes File C:\RRbackups\common\mnd.dat 8192 bytes File C:\RRbackups\common\regcerts.dat 8192 bytes File C:\RRbackups\common\restore.log 110 bytes File C:\RRbackups\common\rr.log 291114 bytes File C:\RRbackups\common\rr_bcdenum.dat 4609 bytes File C:\RRbackups\common\SAM 262144 bytes File C:\RRbackups\common\seccache.dat 8192 bytes File C:\RRbackups\common\secpolicy.dat 28672 bytes File C:\RRbackups\common\settings.dat 32768 bytes File C:\RRbackups\common\system.dat 12288 bytes File C:\RRbackups\common\tvtcmn.dat 8192 bytes File C:\RRbackups\common\tvtns.bin 23 bytes File C:\RRbackups\common\usersids.dat 21840 bytes File C:\RRbackups\Documents and Settings 0 bytes File C:\RRbackups\Documents and Settings\Administrator 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-500\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 77 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500\f209e1c6-e19a-4e81-806e-a0fb1fc39c7f 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500\1e617109-803e-4be7-9818-0d7338a89cf9 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-946592493-3211520402-3949043191-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\marek 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\22296ea5bcbaac0e7e6cac8ee21ae6d8_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1301 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\5550e7cb640347345a345c63aa7a6848_ad18dae1-ed09-4d09-be99-7f96ddc5d568 59 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\62a45886e06c7d046ea8b819bec0598a_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\64823036320bd02b6b09186b90099f5d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 46 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\6b29ae44e85efac3c72ff4d1865d73f1_ad18dae1-ed09-4d09-be99-7f96ddc5d568 53 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\83aa4cc77f591dfc2374580bbd95f6ba_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\89facafc0026437efa3c336e003f3316_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1311 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\8f71098770f72c7a67cd8f1151619865_ad18dae1-ed09-4d09-be99-7f96ddc5d568 54 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\90465be05b8939c84e21979d69c28c0b_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1294 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 77 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\a64731a25811fa88f16bf243447fbb69_ad18dae1-ed09-4d09-be99-7f96ddc5d568 65 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-300751917-3985659210-3560172915-1003\dd508fb67e3df5d722d6ce98ff404371_ad18dae1-ed09-4d09-be99-7f96ddc5d568 63 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\982516f1-5e90-4fba-b7b2-88d2f059b413 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\c5032c90-3888-4c84-a1f2-46712f1e1c00 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\11f4c52e-8f9e-4c96-a938-b4897d9cca6a 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\44ff3299-100d-4da3-b232-533418ad5e52 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\4bc9725b-ee04-4570-ba63-c2e59b52c16b 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\558777e6-e2d0-4b42-8020-0340931dfbee 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\7575f1b0-58a4-4f9f-af63-96d06bbfd165 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\7af7b86a-46df-4601-aa13-5dc1af526cc6 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\89a51020-f432-45ce-8d68-a0475934c6d2 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\9b316cad-6698-476a-977e-9c9b1afd3a6f 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\9ef0d5ac-f89b-4750-94fd-50cd2ddcbc26 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\a32f5dc3-5bad-4bfe-b51e-fae93391570f 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\a4cc1a2c-380d-49c9-8b81-693f3119bb46 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\aa05138d-445b-410c-872a-71eeda8eda23 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\b75efed0-5f47-4962-a13e-9f9bf64ac151 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\be8e66a5-5463-4a2a-a5ab-a91a396ac179 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\c9b30038-a00f-4277-9687-48d27ba3bfb7 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\ccbc6ea8-cdfc-45fb-9531-0d62912ef565 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\da121dd6-1e30-4ab3-915c-c6c52521e9f3 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\dc1a2530-0c1a-465c-9f2b-ded409de93f3 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\e7d86958-5282-4c6c-8de2-56a0b1488dec 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\efe5a180-27fa-4079-a366-e28dc345555d 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\f9b9965f-2a53-4616-97e4-10ba9329ffe6 388 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\Protect\S-1-5-21-300751917-3985659210-3560172915-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\87705B8E2DEBBBC68C7359881FED73527C8F6F4D 930 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Keys 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F2167802900C3689B22CA29A271BBA4C76B76266 152 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\CRLs 0 bytes File C:\RRbackups\Documents and Settings\marek\AppData\Roaming\Microsoft\SystemCertificates\Request\CTLs 0 bytes File C:\RRbackups\ProgramData 0 bytes File C:\RRbackups\ProgramData\Lenovo 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\ProgramData\Microsoft 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\025534d3b58679fb8e58cab0d2477dfa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1757 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2a4ad61fa149c392e4743d21f2b24756_ad18dae1-ed09-4d09-be99-7f96ddc5d568 2087 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8d2450622ab7fcd10abb073fb349a251_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1319 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_ad18dae1-ed09-4d09-be99-7f96ddc5d568 907 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d013304477f3689e5815d4051f89c4af_ad18dae1-ed09-4d09-be99-7f96ddc5d568 1313 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ec0d180d427673e2fc3a72cb659934ca_ad18dae1-ed09-4d09-be99-7f96ddc5d568 913 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6b29ae44e85efac3c72ff4d1865d73f1_ad18dae1-ed09-4d09-be99-7f96ddc5d568 53 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_ad18dae1-ed09-4d09-be99-7f96ddc5d568 47 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_ad18dae1-ed09-4d09-be99-7f96ddc5d568 45 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_ad18dae1-ed09-4d09-be99-7f96ddc5d568 54 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b973ec0ff915c48a18fe09064ce3a22d_ad18dae1-ed09-4d09-be99-7f96ddc5d568 56 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_ad18dae1-ed09-4d09-be99-7f96ddc5d568 899 bytes File C:\RRbackups\Q 0 bytes File C:\RRbackups\S 0 bytes File C:\RRbackups\SIS 0 bytes File C:\RRbackups\SIS\C 0 bytes File C:\RRbackups\SIS\Q 0 bytes File C:\RRbackups\SIS\S 0 bytes ---- EOF - GMER 2.1 ----