GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-01 19:24:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 rev. 0,00MB Running: kkk9eugu.exe; Driver: C:\Users\Erni\AppData\Local\Temp\kxldapod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031c1000 45 bytes [00, 00, 0A, 00, 45, 76, 65, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031c102f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\EslWire\service\WireHelperSvc.exe [1604] entry point in ".vmp1" section 000000013fc878ce .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007730fc80 5 bytes JMP 00000001000b012a .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fcb0 5 bytes JMP 00000001000b0bc2 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007730fe14 5 bytes JMP 00000001000b0048 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007730fe90 5 bytes JMP 00000001000b0e68 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007730fea8 5 bytes JMP 00000001000b0594 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007730ff24 5 bytes JMP 00000001000b0f4a .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077310004 5 bytes JMP 00000001000b0758 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077310038 5 bytes JMP 00000001000b0ca4 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077310068 5 bytes JMP 00000001000b0d86 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310084 5 bytes JMP 0000000100020050 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 00000000773102e8 5 bytes JMP 00000001000b020c .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007731079c 5 bytes JMP 00000001000b03d0 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731088c 5 bytes JMP 00000001000b09fe .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773108a4 2 bytes JMP 00000001000b091c .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 00000000773108a7 2 bytes [DA, 88] .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310df4 5 bytes JMP 00000001000b0676 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 00000000773115d4 5 bytes JMP 00000001000b02ee .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077311920 5 bytes JMP 00000001000b083a .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311be4 5 bytes JMP 00000001000b0ae0 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077311d70 5 bytes JMP 00000001000b04b2 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000764c1492 7 bytes JMP 00000001000c0a12 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000761e524f 7 bytes JMP 00000001000c03d8 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000761e53d0 7 bytes JMP 00000001000c0684 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000761e5677 7 bytes JMP 00000001000c04bc .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000761e589a 7 bytes JMP 00000001000c012c .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000761e5a1d 7 bytes JMP 00000001000c084c .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000761e5c9b 7 bytes JMP 00000001000c05a0 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000761e5d87 7 bytes JMP 00000001000c0768 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000761e7240 7 bytes JMP 00000001000c02f4 .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075281465 2 bytes [28, 75] .text C:\Program Files (x86)\Origin\Origin.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752814bb 2 bytes [28, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001038e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001038c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001039614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001039a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800103986c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortStallExecution] [ffffb0a015ff5024] [unknown section] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [fffffa60e8cb8b48] [unknown section] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [fff9c3e8d2330000] [unknown section] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [fffa47e8cb8b48ff] [unknown section] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [?] IAT C:\Windows\System32\Drivers\agme4vxa.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE[USER32.dll!MoveWindow] [7fef8d91a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE[USER32.dll!DeferWindowPos] [7fef8d91de0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE[USER32.dll!EndPaint] [7fef8d91f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\SHELL32.dll[USER32.dll!MoveWindow] [7fef8d91a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7fef8d91de0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\SHELL32.dll[USER32.dll!EndPaint] [7fef8d91f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\ole32.dll[USER32.dll!MoveWindow] [7fef8d91a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!EndPaint] [7fef8d91f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!MoveWindow] [7fef8d91a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\DUser.dll[USER32.dll!EndPaint] [7fef8d91f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\DUI70.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\IMM32.dll[USER32.dll!EndPaint] [7fef8d91f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\IMM32.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\MSCTF.dll[USER32.dll!MoveWindow] [7fef8d91a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\MSCTF.dll[USER32.dll!EndPaint] [7fef8d91f90] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MoveWindow] [7fef8d91a80] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!SetWindowPos] [7fef8d91c20] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80037c32c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80037c32c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80037c32c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80037c32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80037c32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80037c32c0 Device \Driver\agme4vxa \Device\Scsi\agme4vxa1Port3Path0Target0Lun0 fffffa8004b6f2c0 Device \Driver\agme4vxa \Device\Scsi\agme4vxa1 fffffa8004b6f2c0 Device \FileSystem\Ntfs \Ntfs fffffa80037cb2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004ad82c0 Device \Driver\cdrom \Device\CdRom0 fffffa8003d432c0 Device \Driver\cdrom \Device\CdRom1 fffffa8003d432c0 Device \Driver\cdrom \Device\CdRom2 fffffa8003d432c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004ad82c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8003cf92c0 Device \Driver\dtsoftbus01 \Device\0000007c fffffa8003cf92c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004ad82c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8003d3f2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80037c32c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004ad82c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80037c32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{20D8D20F-80CD-42DF-A6A7-D993D57AA5C3} fffffa8003d3f2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80037c32c0 Device \Driver\agme4vxa \Device\ScsiPort3 fffffa8004b6f2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80037c32c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80037c32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8003b46060] fffffa8003b46060 Trace 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80038cd680] fffffa80038cd680 Trace \Driver\atapi[0xfffffa80038a2c30] -> IRP_MJ_CREATE -> 0xfffffa80037c32c0 fffffa80037c32c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\agme4vxa.SYS (MS AHCI 1.0 Standard Driver/Microsoft Corporation SIGNED)(2014-01-05 14:33:01) fffff8800783b000-fffff8800788c000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread [804:876] 00000000761e7587 Thread [804:548] 000000007422aac0 Thread [804:472] 0000000074b8f28e Thread [804:1028] 0000000074b8f28e Thread [804:1032] 0000000074b8f28e Thread [804:1036] 0000000074b8f28e Thread [804:1040] 0000000074b8f28e Thread [804:1044] 0000000074214e50 Thread [804:1112] 0000000074214c30 Thread [804:1116] 0000000074b8f28e Thread [804:1128] 0000000074b8f28e Thread [804:3364] 0000000077342e65 Thread [804:4168] 0000000074b8f28e Thread [804:4584] 0000000073b962ee Thread [804:1344] 0000000077343e85 ---- Processes - GMER 2.1 ---- Library C:\Users\Erni\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2008] (GG drive menu/GG Network S.A.)(2014- 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE8 0xE2 0x37 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 d:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x14 0x50 0xBE 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB3 0xF5 0x99 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0E 0x4C 0xDA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE8 0xE2 0x37 0xF8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 d:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x14 0x50 0xBE 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB3 0xF5 0x99 0x95 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD7 0x0E 0x4C 0xDA ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk1\DR1 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----