Please Help Cant get clean!

Bithpq · Apr 26, 2009

Everytime I connect to the internet without even opening up a browser my computer gets infected with the same virus:sad:. I clean my computer with SpyBot then Malwarebytes and rescan to make sure it is clean. After I cleaned my computer I think it would be safe to go back online but when I do my computer is infected be all the same files again please help. This virus spead to two other computers but only this one is online. I think that the other computers are also infected but SpyBot and MalwareBytes dont find anything. Any help would be nice

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:45 PM, on 4/26/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\TEMP\vyhoz8l3.exe
C:\WINNT\TEMP\vyhoz8l3.exe
C:\WINNT\explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\Welcome.exe
C:\WINNT\TEMP\337184272.exe
C:\WINNT\TEMP\402809272.exe
C:\WINNT\dhcp\svchost.exe
C:\WINNT\system32\3361\SVCHOST.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\402809272.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217109214875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINNT\dhcp\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

--
End of file - 7449 bytes

katana · Apr 28, 2009

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Bithpq said:
This virus spead to two other computers but only this one is online.

Are the other computers also W2K machines ?

This machine appears to be quite heavily infected, so the cleaning process may take a few runs.

Download and Run SD Fix

Please download SDFix( by andymanchesta ) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Bithpq · Apr 29, 2009

katana said:
Please do not run any other tools or scans whilst I am helping you

MY Computer got so slow and needed to print out some documents so i cleaned it up as much as I could using SpyBot and MalwareBytes Anti-Malware they both say it is clean so i am not using my internet on that computer because i know it will get infected if i do.

katana said:

Are the other computers also W2K machines ?

Click to expand...

No they are both XP one Sp3 the other sp2 (sp2 is extremly slow at login about 5 min when the user desktop image shows) I cleaned them both but i have a felling they will both get infected when they connect to the internet.

I wont be able to give you a fresh HJT log till tommorow.

I can get the log and post it on the infected computer but ill have to clean it again.

katana · Apr 29, 2009

Do you have a Router ?
if so, it's possible that the router has been altered to send you to the infected sites.

Reset your Router

Make sure you have any information you need for reconnection before you continue ( You may need settings from your Internet Service Provider)

You need to reset your router to it's factory default settings.
Whilst your router is switched on, press the reset button (It may be a small hole that requires a pin)
When the router has finished it's reset, the first thing you need to do is set the password protection on it.
(This will help prevent this problem happening again.)

Please post the SDFix and Combofix logs rather than a fresh HJT log.

Bithpq · Apr 30, 2009

katana said:
Do you have a Router ?
if so, it's possible that the router has been altered to send you to the infected sites.

I have dial-up. All I have to do is connect to the internet without opening a browser and the viruses just come in.

katana said:
Reset your Router

Um I don't think i have a router. All I know is that I hook up the phone line into the back of the computer. It might be a modem. I use a phone cable and not a lan (Ethernet?) cable.

katana said:
Please post the SDFix and Combofix logs rather than a fresh HJT log.

Yesterday I got a fresh HJT log and it is a lot different then the one I gave you So should I just do the SDFix and Combofix scans anyway?

katana · Apr 30, 2009

Bithpq said:
So should I just do the SDFix and Combofix scans anyway?

Yes please

Bithpq · Apr 30, 2009

Um Before I run Combofix the totorial says to install recovery console. Is there one for W2K or should Combo Fix get it for me? If I let ComboFix get it for me I have to connect and then the viruses will just come in (assuming they will) Should I just do it anyway? (Sorry for asking to run twice I just wnat to make sure my computer wont get wrecked).

katana · May 1, 2009

Bithpq said:
Sorry for asking to run twice I just wnat to make sure my computer wont get wrecked

That's fine, I would rather you ask if you aren't sure about something

There isn't a Recovery Console download for W2K,
it is assumed that anyone with a W2K machine has the original install disc.

Bithpq · May 1, 2009

SDFix log

katana said:
it is assumed that anyone with a W2K machine has the original install disc.

Uh oh I cant find the install disc. It is improtant to have it for this right? Well ill look for the disk again and try to find it.

I already went ahead and ran the SDFix so here is the log.

SDFix: Version 1.240
Run by Administrator on Thu 04/30/2009 at 10:40p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINNT\system32\20.tmp - Deleted
C:\WINNT\system32\23.tmp - Deleted
C:\WINNT\system32\16.tmp - Deleted
C:\WINNT\system32\10.tmp - Deleted
C:\WINNT\system32\19.tmp - Deleted
C:\WINNT\system32\TFTP1400 - Deleted
C:\WINNT\system32\TFTP1556 - Deleted
C:\WINNT\system32\TFTP432 - Deleted
C:\WINNT\system32\TFTP480 - Deleted
C:\WINNT\system32\TFTP1856 - Deleted
C:\WINNT\system32\TFTP1020 - Deleted
C:\WINNT\system32\TFTP1340 - Deleted
C:\WINNT\system32\TFTP1896 - Deleted

Folder C:\WINNT\system32\286858 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 22:47:05
Windows 5.0.2195 Service Pack 4 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 9 Mar 2007 27,648 ..SH. --- "C:\WINNT\system32\AVSredirect.dll"
Fri 24 Apr 2009 2,413 ...H. --- "C:\WINNT\system32\mmsg32.DLL"
Fri 24 Apr 2009 0 ...H. --- "C:\WINNT\system32\ms2chk.DLL"
Fri 24 Apr 2009 3,979 ...H. --- "C:\WINNT\system32\mspnd.DLL"
Fri 24 Apr 2009 4,394 ...H. --- "C:\WINNT\system32\msdone.DLL"
Mon 26 Jan 2009 1,740,632 ..SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 ..SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,279,424 ..SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 21 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 21 Mar 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Mon 2 Mar 2009 34,687,840 ...H. --- "C:\WINNT\SoftwareDistribution\Download\aea86f697630fd3ef941f71c2127cfcf\BIT57B.tmp"
Thu 2 Feb 2006 488,448 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2578.tmp"

Finished!

Bithpq · May 1, 2009

And A Fresh HJT log

I needed to reinstall a printer (i needed it) because of the virus. Thought you should know

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:04 PM, on 4/30/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
O2 - BHO: C:\WINNT\system32\jksahfo93wjfkd.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\1256108730.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217109214875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

--
End of file - 6885 bytes

katana · May 1, 2009

Bithpq said:
Uh oh I cant find the install disc. It is improtant to have it for this right?

It's only important if things don't go as planned.
At the last count, 1 out of approx 2 million runs there are problems using Combofix.

I would still like to see a Combofix log, but if you would rather not then we can try something else.

How are things running after using SDFix ?

Bithpq · May 1, 2009

katana said:
How are things running after using SDFix ?

The Computer is running very smoothly. Ill go ahead and run combo fix i backed every up. so

Bithpq · May 2, 2009

Uh oh

I found the W2K installation disc and ran ComboFix but I got an error message and ComboFix i think deleted itself.

I followed the instructions on the message but the same error came up again.

katana · May 2, 2009

That's not good.

That message usually only appears if you have a file infector on your machine.
We need to confirm the situation before proceeding.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window

C:\WINNT\System32\smss.exe
Click Submit/Send File

Please do the same for the following file

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe

If Virustotal is too busy please try Jotti

You don't need to post any that don't show infection, and if they all show the same one then just post one report

Bithpq · May 2, 2009

ok i did a scan of the listed items. There is a problem. svchost.exe and taskmgr.exe will not scan on both scanners. taskmgr was scanned for a little while and then stopped at the second scanner. Panda said that taskmgr was a suspicious file. as for svchost it just wouldn't scan.

katana · May 2, 2009

Upload a File
Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe

Go to spykiller

Please start a new thread Titled File/s for Katana and give the following information

Name:-- Your name
Subject:-- File for Katana

In the main text window please put the following link

Code:

http://forums.spybot.info/showthread.php?p=309444#post309444

you may also add any comments you wish
then press attach and upload the zip/cab file that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files

You can now delete SFP (exe and Zip) along with the .cab file that was created

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

Bithpq · May 3, 2009

katana said:
Name:-- Your name

Subject:-- File for Katana

Ha um... Do I put for Name: Bithpq or Your name?

Bithpq · May 3, 2009

Sorry

Well That way a silly question I could have thought a little more about what was asked.:funny:
Files are being uploaded

Bithpq · May 3, 2009

I had to re-run RSIT because it stopped responding.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-05-02 20:49:06
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 8 GB (45%) free of 18 GB
Total RAM: 254 MB (2% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:08 PM, on 5/2/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\WINNT\system32\mrtMngr.EXE
G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
L:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\A.tmp
C:\WINNT\System32\reader_s.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\1256108730.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1217109214875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AE7F335-2004-46AE-BB36-3D10DD971B3B}: NameServer = 142.161.130.154 142.161.2.154
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

--
End of file - 7438 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINNT\tasks\Ad-Aware Update (Weekly).job
C:\WINNT\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1178916134.job
C:\WINNT\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 303104]
"zzzHPSETUP"=I:\Setup.exe []
"IgfxTray"=C:\WINNT\s [2009-03-14 146]
"HotKeysCmds"=C:\WINNT\s [2009-03-14 146]
"WinFaxAppPortStarter"=C:\WINNT\system32\wfxsnt40.exe [2000-02-14 43008]
"QAGENT"=H:\Program Files\QUICKENW\QAGENT.EXE [2001-08-01 114688]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2279424]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
C:\Program Files\HP DVD\Umbrella\DVDTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\s [2009-03-14 146]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
D:\Program Files\HP Scanner\PrecisionScan\hpppta.exe /ICON []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\s [2009-03-14 146]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Net-It Launcher]
C:\WINNT\s [2009-03-14 146]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINNT\s [2009-03-14 146]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
D:\Program Files\WordPerfect11\Programs\QFSCHD110.EXE [2003-02-25 98367]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SymTray - Norton SystemWorks]
C:\Program Files\Common Files\Symantec Shared\Symtray.exe [2002-08-29 106576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
C:\WINNT\system32\wfxsnt40.exe [2000-02-14 43008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
PGPtray.lnk - G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINNT\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau]
C:\WINNT\system32\nwprovau.dll [2006-08-31 140048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\s [2009-03-14 146]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Documents and Settings\Administrator\Local Settings\Application Data\zchMiB.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\zchMiB.exe:*:Enabled:Windows Time Synchronization"
"C:\Documents and Settings\Administrator\Local Settings\Application Data\websvr.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\websvr.exe:*:Enabled:WinSvrHost32"
"C:\WINNT\system32\3361\svchost.exe"="C:\WINNT\system32\3361\svchost.exe:*:Enabled:SVCHOST.EXE"
"\??\C:\WINNT\system32\winlogon.exe"="\??\C:\WINNT\system32\winlogon.exe:*:enabled

shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-05-02 20:16:53 ----D---- C:\rsit
2009-05-02 19:42:21 ----A---- C:\WINNT\system32\B.tmp
2009-05-01 16:48:43 ----D---- C:\Qoobox
2009-05-01 16:48:38 ----A---- C:\Bug.txt
2009-04-30 22:32:05 ----D---- C:\WINNT\ERUNT
2009-04-30 22:21:17 ----D---- C:\SDFix
2009-04-26 13:00:57 ----A---- C:\WINNT\IE4 Error Log.txt
2009-04-25 14:51:46 ----D---- C:\Program Files\Trend Micro
2009-04-22 22:06:01 ----D---- C:\WINNT\system32\DRVSTORE
2009-04-19 18:48:02 ----A---- C:\dndi.txt
2009-04-19 17:01:59 ----A---- C:\WINNT\ntbtlog.txt
2009-04-16 19:40:51 ----D---- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2009-04-14 21:37:54 ----N---- C:\WINNT\system32\tcpd.exe
2009-04-14 21:37:54 ----N---- C:\WINNT\system32\AUTMGR.EXE
2009-04-14 21:37:51 ----N---- C:\WINNT\system32\kernel32_check.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\tcpcon.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\Packer.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\iphy.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\fiplock.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\fhpatch.dll
2009-04-14 21:35:49 ----D---- C:\WINNT\system32\3361
2009-04-14 20:33:49 ----N---- C:\WINNT\system32\unrar.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\yv12vfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\xvidvfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\vp7vfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\vp6vfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\huffyuv.dll
2009-04-14 20:33:46 ----N---- C:\WINNT\system32\qt-dx331.dll
2009-04-14 20:33:46 ----N---- C:\WINNT\system32\dpl100.dll
2009-04-14 20:33:44 ----N---- C:\WINNT\system32\ff_vfw.dll
2009-04-14 20:33:42 ----N---- C:\WINNT\system32\pthreadGC2.dll
2009-04-14 20:33:41 ----D---- C:\Program Files\K-Lite Codec Pack
2009-04-05 21:28:42 ----HD---- C:\WINNT\$NtUninstallKB967715$
2009-04-05 21:24:56 ----HD---- C:\WINNT\$NtUninstallKB960225$
2009-04-05 21:03:06 ----HD---- C:\WINNT\$NtUninstallKB958690$
2009-04-05 20:01:47 ----N---- C:\WINNT\system32\javaws.exe
2009-04-05 20:01:47 ----N---- C:\WINNT\system32\javaw.exe
2009-04-05 20:01:47 ----N---- C:\WINNT\system32\java.exe
2009-04-04 16:20:40 ----N---- C:\WINNT\system32\wbhelp2.dll

======List of files/folders modified in the last 1 months======

2009-05-02 19:23:36 ----A---- C:\WINNT\win.ini
2009-05-02 19:19:58 ----A---- C:\WINNT\ModemLog_Generic - HCF PCI Modem.txt
2009-05-02 18:59:16 ----A---- C:\WINNT\SchedLgU.Txt
2009-04-27 17:58:56 ----A---- C:\WINNT\SYSTEM.INI
2009-04-21 23:03:32 ----A---- C:\WINNT\wininit.ini
2009-04-16 19:28:28 ----A---- C:\WINNT\system32\dfrg.msc
2009-04-14 21:37:52 ----A---- C:\WINNT\system32\kernel32.dll
2009-04-14 21:36:06 ----N---- C:\WINNT\OEWABLog.txt
2009-04-05 21:25:08 ----N---- C:\WINNT\imsins.BAK
2009-04-05 21:14:50 ----N---- C:\WINNT\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINNT\s [2009-03-14 146]
R1 Aspi32;Aspi32; C:\WINNT\s [2009-03-14 146]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\s [2009-03-14 146]
R1 Cdralw2k;Cdralw2k; C:\WINNT\s [2009-03-14 146]
R1 cdudf;cdudf; C:\WINNT\s [2009-03-14 146]
R1 ifdcacf;ifdcacf; C:\WINNT\S [2009-03-14 146]
R1 OMCI;OMCI; C:\WINNT\S [2009-03-14 146]
R1 PQNTDrv;PQNTDrv; C:\WINNT\s [2009-03-14 146]
R1 pwd_2K;pwd_2K; C:\WINNT\s [2009-03-14 146]
R1 UdfReadr;UdfReadr; C:\WINNT\s [2009-03-14 146]
R2 BrPar;BrPar; C:\WINNT\S [2009-03-14 146]
R2 hidusb;Microsoft HID Class Driver; C:\WINNT\S [2009-03-14 146]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.6; C:\WINNT\s [2009-03-14 146]
R2 mdmxsdk;mdmxsdk; C:\WINNT\s [2009-03-14 146]
R2 mrtRate;mrtRate; C:\WINNT\s [2009-03-14 146]
R2 Nbf;NetBEUI Protocol; C:\WINNT\S [2009-03-14 146]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\S [2009-03-14 146]
R2 NwlnkNb;NWLink NetBIOS; C:\WINNT\S [2009-03-14 146]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\S [2009-03-14 146]
R2 PfModNT;PfModNT; \??\C:\WINNT\system32\drivers\PfModNT.sys []
R2 PGPdisk;PGPdisk; C:\WINNT\s [2009-03-14 146]
R2 PGPsdkDriver;PGPsdkDriver; C:\WINNT\S [2009-03-14 146]
R3 aeaudio;aeaudio; C:\WINNT\s [2009-03-14 146]
R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINNT\S [2009-03-14 146]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\s [2009-03-14 146]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\s [2009-03-14 146]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\s [2009-03-14 146]
R3 ialm;ialm; C:\WINNT\s [2009-03-14 146]
R3 mmc_2K;mmc_2K; C:\WINNT\s [2009-03-14 146]
R3 mouhid;Mouse HID Driver; C:\WINNT\S [2009-03-14 146]
R3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS []
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver; C:\WINNT\s [2009-03-14 146]
R3 NWRDR;NetWare Rdr; C:\WINNT\S [2009-03-14 146]
R3 pfc;Padus ASPI Shell; C:\WINNT\s [2009-03-14 146]
R3 PSched;QoS Packet Scheduler; C:\WINNT\S [2009-03-14 146]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\S [2009-03-14 146]
R3 smwdm;smwdm; C:\WINNT\s [2009-03-14 146]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\S [2009-03-14 146]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\s [2009-03-14 146]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\S [2009-03-14 146]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\S [2009-03-14 146]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\S [2009-03-14 146]
R3 usbscan;USB Scanner Driver; C:\WINNT\S [2009-03-14 146]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\S [2009-03-14 146]
R3 vitra;vitra; C:\WINNT\S [2009-03-14 146]
R3 Winachcf;Winachcf; C:\WINNT\s [2009-03-14 146]
S1 btq4e2d;btq4e2d; C:\WINNT\S [2009-03-14 146]
S1 khf1ef1;khf1ef1; C:\WINNT\S [2009-03-14 146]
S1 mjh72ef;mjh72ef; C:\WINNT\S [2009-03-14 146]
S1 oljf514;oljf514; C:\WINNT\S [2009-03-14 146]
S1 qol051c;qol051c; C:\WINNT\S [2009-03-14 146]
S1 rom4d24;rom4d24; C:\WINNT\S [2009-03-14 146]
S1 romaa7b;romaa7b; C:\WINNT\S [2009-03-14 146]
S1 spn31b9;spn31b9; C:\WINNT\S [2009-03-14 146]
S1 sqn2e9a;sqn2e9a; C:\WINNT\S [2009-03-14 146]
S1 sqn5992;sqn5992; C:\WINNT\S [2009-03-14 146]
S2 SecDrv;SecDrv; \??\C:\WINNT\system32\drivers\SECDRV.SYS []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINNT\s [2009-03-14 146]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINNT\s [2009-03-14 146]
S3 bcm4sbe5;Broadcom 440x 10/100 Integrated Controller Driver; C:\WINNT\s [2009-03-14 146]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\s [2009-03-14 146]
S3 dvd_2K;dvd_2K; C:\WINNT\s [2009-03-14 146]
S3 ENIMSR;ENIMSR; \??\C:\PROGRA~1\MTS\ENTERN~1\app\ENIMSR.SYS []
S3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service; C:\WINNT\s [2009-03-14 146]
S3 MPE;BDA MPE Filter; C:\WINNT\s [2009-03-14 146]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\s [2009-03-14 146]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\s [2009-03-14 146]
S3 NTSTAP1;NTSTAP1; \??\C:\PROGRA~1\MTS\ENTERN~1\app\NTSTAP1.SYS []
S3 NTSTAP2;NTSTAP2; \??\C:\PROGRA~1\MTS\ENTERN~1\app\NTSTAP2.SYS []
S3 RAWESR;RAWESR; \??\C:\PROGRA~1\MTS\ENTERN~1\app\RAWESR.SYS []
S3 restore;restore; \??\C:\WINNT\system32\drivers\restore.sys []
S3 SDdriver;SDdriver; \??\C:\WINNT\system32\Drivers\sddriver.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\s [2009-03-14 146]
S3 streamip;BDA IPSink; C:\WINNT\s [2009-03-14 146]
S3 TAPBIND;TAPBIND; \??\C:\PROGRA~1\MTS\ENTERN~1\app\TAPBIND1.SYS []
S3 UIUSys;Conexant Setup API; C:\WINNT\s [2009-03-14 146]
S3 Winacpci;Winacpci; C:\WINNT\S [2009-03-14 146]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\s [2009-03-14 146]
S4 IntelIde;IntelIde; C:\WINNT\s [2009-03-14 146]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 NProtectService;Norton Unerase Protection; C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2002-08-14 155648]
R2 NwSapAgent;SAP Agent; C:\WINNT\S [2009-03-14 146]
R2 PPPoEService;PPPoE Service; C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe [2000-07-11 69632]
R2 SimpTcp;Simple TCP/IP Services; C:\WINNT\S [2009-03-14 146]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 StiSvc;Still Image Service; C:\WINNT\s [2009-03-14 146]
R2 wfxsvc;WinFax PRO; C:\WINNT\s [2009-03-14 146]
S2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-05-15 100032]
S2 Irmon;Irmon; C:\WINNT\S [2009-03-14 146]
S2 LexBceS;LexBce Server; C:\WINNT\s [2009-03-14 146]
S2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S2 NWCWorkstation;Client Service for NetWare; C:\WINNT\S [2009-03-14 146]
S2 PGPsdkServ;PGPsdkService; C:\WINNT\s [2009-03-14 146]
S2 Speed Disk service;Speed Disk service; C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe [2002-08-14 192545]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-07-27 501048]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-05-15 2086592]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\s [2009-03-14 146]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\S [2009-03-14 146]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]

-----------------EOF-----------------

katana said:
Once it has finished, two logs will open:

log.txt will be opened maximized.

info.txt will be opened minimized.

info.txt was not minimized or opened.

Bithpq · May 3, 2009

I have a few other drives (partitions) should I scan those too?

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-02 22:06:33
Windows 5.0.2195 Service Pack 4

---- Kernel code sections - GMER 1.0.15 ----

.text ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4

---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FF84493
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FF84522
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FF84518
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FF84570
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\System32\svchost.exe[704] C:\WINNT\System32\svchost.exe section is writeable [0x01001000, 0x14A8, 0xE0000060]
.rsrc C:\WINNT\System32\svchost.exe[704] C:\WINNT\System32\svchost.exe section is executable [0x01004000, 0x6400, 0xE0000040]
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\Explorer.EXE[960] Explorer.EXE 00408199 5 Bytes [FF, 15, 70, 11, 40]
.text C:\WINNT\Explorer.EXE[960] C:\WINNT\Explorer.EXE section is writeable [0x00401000, 0x19546, 0xE0000060]
.reloc C:\WINNT\Explorer.EXE[960] C:\WINNT\Explorer.EXE section is executable [0x0043C000, 0x8000, 0xE2000040]
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\Explorer.EXE[960] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\Explorer.EXE[960] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\WINNT\system32\svchost.exe[1032] C:\WINNT\system32\svchost.exe section is writeable [0x01001000, 0x14A8, 0xE0000060]
.rsrc C:\WINNT\system32\svchost.exe[1032] C:\WINNT\system32\svchost.exe section is executable [0x01004000, 0x6400, 0xE0000040]
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\hkcmd.exe[1188] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\system32\hkcmd.exe[1188] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\VT100.EXE[1224] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\system32\VT100.EXE[1224] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\mrtMngr.EXE[1420] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\system32\mrtMngr.EXE[1420] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!send 75031BCC 5 Bytes JMP 7FFA57EC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 PGPsdk.sys (PGP Software Development Kit NT Driver/PGP Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [8:160] 8156A470

---- Processes - GMER 1.0.15 ----

Process C:\WINNT\system32\VT100.EXE (*** hidden *** ) 1224
Library C:\WINNT\system32\VT100.EXE (*** hidden *** ) @ C:\WINNT\system32\VT100.EXE [1224] 0x00400000

---- Files - GMER 1.0.15 ----

File C:\WINNT\system32\VT100.EXE
File C:\WINNT\system32\mmsg32.DLL
File C:\WINNT\system32\ms2chk.DLL
File C:\WINNT\system32\mspnd.DLL
File C:\WINNT\system32\msdone.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\mmsg32.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\ms2chk.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\mspnd.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\msdone.DLL

---- EOF - GMER 1.0.15 ----

Please Help Cant get clean!

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

New member