Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 34

Thread: Please Help Cant get clean!

  1. #11
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Quote Originally Posted by Bithpq View Post
    Uh oh I cant find the install disc. It is improtant to have it for this right?
    It's only important if things don't go as planned.
    At the last count, 1 out of approx 2 million runs there are problems using Combofix.

    I would still like to see a Combofix log, but if you would rather not then we can try something else.

    How are things running after using SDFix ?
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  2. #12
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    Quote Originally Posted by katana View Post
    How are things running after using SDFix ?
    The Computer is running very smoothly. Ill go ahead and run combo fix i backed every up. so

  3. #13
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default Uh oh

    I found the W2K installation disc and ran ComboFix but I got an error message and ComboFix i think deleted itself.

    I followed the instructions on the message but the same error came up again.

  4. #14
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    That's not good.

    That message usually only appears if you have a file infector on your machine.
    We need to confirm the situation before proceeding.

    Submit a File For Analysis
    We need to have the files below Scanned by Uploading them/it to Virus Total

    Please visit Virustotal
    Copy/paste the the following file path into the window

    C:\WINNT\System32\smss.exe

    Click Submit/Send File

    Please do the same for the following file

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\taskmgr.exe


    If Virustotal is too busy please try Jotti

    You don't need to post any that don't show infection, and if they all show the same one then just post one report
    Last edited by katana; 2009-05-03 at 01:51.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  5. #15
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    ok i did a scan of the listed items. There is a problem. svchost.exe and taskmgr.exe will not scan on both scanners. taskmgr was scanned for a little while and then stopped at the second scanner. Panda said that taskmgr was a suspicious file. as for svchost it just wouldn't scan.

  6. #16
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Upload a File
    Download suspicious file packer from here

    Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\taskmgr.exe


    Go to spykiller

    Please start a new thread Titled File/s for Katana and give the following information
    • Name:-- Your name
    • Subject:-- File for Katana

    In the main text window please put the following link
    Code:
    http://forums.spybot.info/showthread.php?p=309444#post309444
    you may also add any comments you wish
    then press attach and upload the zip/cab file that was created.

    Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
    You DO NOT need to be a member to upload, anybody can upload the files


    You can now delete SFP (exe and Zip) along with the .cab file that was created





    Download and Run RSIT
    • Please download Random's System Information Tool by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    • Please post the contents of both log.txt and info.txt.




    Please Download GMER to your desktop

    Download GMER and extract it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click Yes.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #17
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    Quote Originally Posted by katana View Post
    • Name:-- Your name
    • Subject:-- File for Katana
    Ha um... Do I put for Name: Bithpq or Your name?

  8. #18
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default Sorry

    Well That way a silly question I could have thought a little more about what was asked.
    Files are being uploaded

  9. #19
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    I had to re-run RSIT because it stopped responding.

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Administrator at 2009-05-02 20:49:06
    Microsoft Windows 2000 Professional Service Pack 4
    System drive C: has 8 GB (45%) free of 18 GB
    Total RAM: 254 MB (2% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:50:08 PM, on 5/2/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\tcpsvcs.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\wfxsnt40.exe
    H:\Program Files\QUICKENW\QAGENT.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\WINNT\system32\mrtMngr.EXE
    G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\taskmgr.exe
    L:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\A.tmp
    C:\WINNT\System32\reader_s.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\svchost.exe
    C:\Documents and Settings\Administrator\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Administrator.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\1256108730.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
    O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1217109214875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5AE7F335-2004-46AE-BB36-3D10DD971B3B}: NameServer = 142.161.130.154 142.161.2.154
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
    O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

    --
    End of file - 7438 bytes

    ======Scheduled tasks folder======

    C:\WINNT\tasks\Spybot - Search & Destroy - Scheduled Task.job
    C:\WINNT\tasks\Ad-Aware Update (Weekly).job
    C:\WINNT\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1178916134.job
    C:\WINNT\tasks\AppleSoftwareUpdate.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"=mobsync.exe /logon []
    "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 303104]
    "zzzHPSETUP"=I:\Setup.exe []
    "IgfxTray"=C:\WINNT\s [2009-03-14 146]
    "HotKeysCmds"=C:\WINNT\s [2009-03-14 146]
    "WinFaxAppPortStarter"=C:\WINNT\system32\wfxsnt40.exe [2000-02-14 43008]
    "QAGENT"=H:\Program Files\QUICKENW\QAGENT.EXE [2001-08-01 114688]
    "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
    "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2279424]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
    C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINNT\s [2009-03-14 146]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
    D:\Program Files\HP Scanner\PrecisionScan\hpppta.exe /ICON []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINNT\s [2009-03-14 146]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Net-It Launcher]
    C:\WINNT\s [2009-03-14 146]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
    C:\WINNT\s [2009-03-14 146]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
    D:\Program Files\WordPerfect11\Programs\QFSCHD110.EXE [2003-02-25 98367]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SymTray - Norton SystemWorks]
    C:\Program Files\Common Files\Symantec Shared\Symtray.exe [2002-08-29 106576]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
    mobsync.exe /logon []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU]
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 131072]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
    C:\WINNT\system32\wfxsnt40.exe [2000-02-14 43008]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Acrobat Assistant.lnk - D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
    Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    PGPtray.lnk - G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\WINNT\system32\igfxsrvc.dll [2005-10-19 348160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau]
    C:\WINNT\system32\nwprovau.dll [2006-08-31 140048]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
    jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\s [2009-03-14 146]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"=C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 38400]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "authentication packages"=msv1_0
    nwprovau

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=149

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\Documents and Settings\Administrator\Local Settings\Application Data\zchMiB.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\zchMiB.exe:*:Enabled:Windows Time Synchronization"
    "C:\Documents and Settings\Administrator\Local Settings\Application Data\websvr.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\websvr.exe:*:Enabled:WinSvrHost32"
    "C:\WINNT\system32\3361\svchost.exe"="C:\WINNT\system32\3361\svchost.exe:*:Enabled:SVCHOST.EXE"
    "\??\C:\WINNT\system32\winlogon.exe"="\??\C:\WINNT\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    ======List of files/folders created in the last 1 months======

    2009-05-02 20:16:53 ----D---- C:\rsit
    2009-05-02 19:42:21 ----A---- C:\WINNT\system32\B.tmp
    2009-05-01 16:48:43 ----D---- C:\Qoobox
    2009-05-01 16:48:38 ----A---- C:\Bug.txt
    2009-04-30 22:32:05 ----D---- C:\WINNT\ERUNT
    2009-04-30 22:21:17 ----D---- C:\SDFix
    2009-04-26 13:00:57 ----A---- C:\WINNT\IE4 Error Log.txt
    2009-04-25 14:51:46 ----D---- C:\Program Files\Trend Micro
    2009-04-22 22:06:01 ----D---- C:\WINNT\system32\DRVSTORE
    2009-04-19 18:48:02 ----A---- C:\dndi.txt
    2009-04-19 17:01:59 ----A---- C:\WINNT\ntbtlog.txt
    2009-04-16 19:40:51 ----D---- C:\Documents and Settings\Administrator\Application Data\BitTorrent
    2009-04-14 21:37:54 ----N---- C:\WINNT\system32\tcpd.exe
    2009-04-14 21:37:54 ----N---- C:\WINNT\system32\AUTMGR.EXE
    2009-04-14 21:37:51 ----N---- C:\WINNT\system32\kernel32_check.dll
    2009-04-14 21:37:50 ----N---- C:\WINNT\system32\tcpcon.dll
    2009-04-14 21:37:50 ----N---- C:\WINNT\system32\Packer.dll
    2009-04-14 21:37:50 ----N---- C:\WINNT\system32\iphy.dll
    2009-04-14 21:37:50 ----N---- C:\WINNT\system32\fiplock.dll
    2009-04-14 21:37:50 ----N---- C:\WINNT\system32\fhpatch.dll
    2009-04-14 21:35:49 ----D---- C:\WINNT\system32\3361
    2009-04-14 20:33:49 ----N---- C:\WINNT\system32\unrar.dll
    2009-04-14 20:33:47 ----N---- C:\WINNT\system32\yv12vfw.dll
    2009-04-14 20:33:47 ----N---- C:\WINNT\system32\xvidvfw.dll
    2009-04-14 20:33:47 ----N---- C:\WINNT\system32\vp7vfw.dll
    2009-04-14 20:33:47 ----N---- C:\WINNT\system32\vp6vfw.dll
    2009-04-14 20:33:47 ----N---- C:\WINNT\system32\huffyuv.dll
    2009-04-14 20:33:46 ----N---- C:\WINNT\system32\qt-dx331.dll
    2009-04-14 20:33:46 ----N---- C:\WINNT\system32\dpl100.dll
    2009-04-14 20:33:44 ----N---- C:\WINNT\system32\ff_vfw.dll
    2009-04-14 20:33:42 ----N---- C:\WINNT\system32\pthreadGC2.dll
    2009-04-14 20:33:41 ----D---- C:\Program Files\K-Lite Codec Pack
    2009-04-05 21:28:42 ----HD---- C:\WINNT\$NtUninstallKB967715$
    2009-04-05 21:24:56 ----HD---- C:\WINNT\$NtUninstallKB960225$
    2009-04-05 21:03:06 ----HD---- C:\WINNT\$NtUninstallKB958690$
    2009-04-05 20:01:47 ----N---- C:\WINNT\system32\javaws.exe
    2009-04-05 20:01:47 ----N---- C:\WINNT\system32\javaw.exe
    2009-04-05 20:01:47 ----N---- C:\WINNT\system32\java.exe
    2009-04-04 16:20:40 ----N---- C:\WINNT\system32\wbhelp2.dll

    ======List of files/folders modified in the last 1 months======

    2009-05-02 19:23:36 ----A---- C:\WINNT\win.ini
    2009-05-02 19:19:58 ----A---- C:\WINNT\ModemLog_Generic - HCF PCI Modem.txt
    2009-05-02 18:59:16 ----A---- C:\WINNT\SchedLgU.Txt
    2009-04-27 17:58:56 ----A---- C:\WINNT\SYSTEM.INI
    2009-04-21 23:03:32 ----A---- C:\WINNT\wininit.ini
    2009-04-16 19:28:28 ----A---- C:\WINNT\system32\dfrg.msc
    2009-04-14 21:37:52 ----A---- C:\WINNT\system32\kernel32.dll
    2009-04-14 21:36:06 ----N---- C:\WINNT\OEWABLog.txt
    2009-04-05 21:25:08 ----N---- C:\WINNT\imsins.BAK
    2009-04-05 21:14:50 ----N---- C:\WINNT\system32\PerfStringBackup.INI

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 AFS2K;AFS2k; C:\WINNT\s [2009-03-14 146]
    R1 Aspi32;Aspi32; C:\WINNT\s [2009-03-14 146]
    R1 Cdr4_2K;Cdr4_2K; C:\WINNT\s [2009-03-14 146]
    R1 Cdralw2k;Cdralw2k; C:\WINNT\s [2009-03-14 146]
    R1 cdudf;cdudf; C:\WINNT\s [2009-03-14 146]
    R1 ifdcacf;ifdcacf; C:\WINNT\S [2009-03-14 146]
    R1 OMCI;OMCI; C:\WINNT\S [2009-03-14 146]
    R1 PQNTDrv;PQNTDrv; C:\WINNT\s [2009-03-14 146]
    R1 pwd_2K;pwd_2K; C:\WINNT\s [2009-03-14 146]
    R1 UdfReadr;UdfReadr; C:\WINNT\s [2009-03-14 146]
    R2 BrPar;BrPar; C:\WINNT\S [2009-03-14 146]
    R2 hidusb;Microsoft HID Class Driver; C:\WINNT\S [2009-03-14 146]
    R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.6; C:\WINNT\s [2009-03-14 146]
    R2 mdmxsdk;mdmxsdk; C:\WINNT\s [2009-03-14 146]
    R2 mrtRate;mrtRate; C:\WINNT\s [2009-03-14 146]
    R2 Nbf;NetBEUI Protocol; C:\WINNT\S [2009-03-14 146]
    R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\S [2009-03-14 146]
    R2 NwlnkNb;NWLink NetBIOS; C:\WINNT\S [2009-03-14 146]
    R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\S [2009-03-14 146]
    R2 PfModNT;PfModNT; \??\C:\WINNT\system32\drivers\PfModNT.sys []
    R2 PGPdisk;PGPdisk; C:\WINNT\s [2009-03-14 146]
    R2 PGPsdkDriver;PGPsdkDriver; C:\WINNT\S [2009-03-14 146]
    R3 aeaudio;aeaudio; C:\WINNT\s [2009-03-14 146]
    R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
    R3 GEARAspiWDM;GEARAspiWDM; C:\WINNT\S [2009-03-14 146]
    R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\s [2009-03-14 146]
    R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\s [2009-03-14 146]
    R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\s [2009-03-14 146]
    R3 ialm;ialm; C:\WINNT\s [2009-03-14 146]
    R3 mmc_2K;mmc_2K; C:\WINNT\s [2009-03-14 146]
    R3 mouhid;Mouse HID Driver; C:\WINNT\S [2009-03-14 146]
    R3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS []
    R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver; C:\WINNT\s [2009-03-14 146]
    R3 NWRDR;NetWare Rdr; C:\WINNT\S [2009-03-14 146]
    R3 pfc;Padus ASPI Shell; C:\WINNT\s [2009-03-14 146]
    R3 PSched;QoS Packet Scheduler; C:\WINNT\S [2009-03-14 146]
    R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\S [2009-03-14 146]
    R3 smwdm;smwdm; C:\WINNT\s [2009-03-14 146]
    R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
    R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\S [2009-03-14 146]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\s [2009-03-14 146]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\S [2009-03-14 146]
    R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\S [2009-03-14 146]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\S [2009-03-14 146]
    R3 usbscan;USB Scanner Driver; C:\WINNT\S [2009-03-14 146]
    R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\S [2009-03-14 146]
    R3 vitra;vitra; C:\WINNT\S [2009-03-14 146]
    R3 Winachcf;Winachcf; C:\WINNT\s [2009-03-14 146]
    S1 btq4e2d;btq4e2d; C:\WINNT\S [2009-03-14 146]
    S1 khf1ef1;khf1ef1; C:\WINNT\S [2009-03-14 146]
    S1 mjh72ef;mjh72ef; C:\WINNT\S [2009-03-14 146]
    S1 oljf514;oljf514; C:\WINNT\S [2009-03-14 146]
    S1 qol051c;qol051c; C:\WINNT\S [2009-03-14 146]
    S1 rom4d24;rom4d24; C:\WINNT\S [2009-03-14 146]
    S1 romaa7b;romaa7b; C:\WINNT\S [2009-03-14 146]
    S1 spn31b9;spn31b9; C:\WINNT\S [2009-03-14 146]
    S1 sqn2e9a;sqn2e9a; C:\WINNT\S [2009-03-14 146]
    S1 sqn5992;sqn5992; C:\WINNT\S [2009-03-14 146]
    S2 SecDrv;SecDrv; \??\C:\WINNT\system32\drivers\SECDRV.SYS []
    S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINNT\s [2009-03-14 146]
    S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINNT\s [2009-03-14 146]
    S3 bcm4sbe5;Broadcom 440x 10/100 Integrated Controller Driver; C:\WINNT\s [2009-03-14 146]
    S3 CCDECODE;Closed Caption Decoder; C:\WINNT\s [2009-03-14 146]
    S3 dvd_2K;dvd_2K; C:\WINNT\s [2009-03-14 146]
    S3 ENIMSR;ENIMSR; \??\C:\PROGRA~1\MTS\ENTERN~1\app\ENIMSR.SYS []
    S3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service; C:\WINNT\s [2009-03-14 146]
    S3 MPE;BDA MPE Filter; C:\WINNT\s [2009-03-14 146]
    S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\s [2009-03-14 146]
    S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\s [2009-03-14 146]
    S3 NTSTAP1;NTSTAP1; \??\C:\PROGRA~1\MTS\ENTERN~1\app\NTSTAP1.SYS []
    S3 NTSTAP2;NTSTAP2; \??\C:\PROGRA~1\MTS\ENTERN~1\app\NTSTAP2.SYS []
    S3 RAWESR;RAWESR; \??\C:\PROGRA~1\MTS\ENTERN~1\app\RAWESR.SYS []
    S3 restore;restore; \??\C:\WINNT\system32\drivers\restore.sys []
    S3 SDdriver;SDdriver; \??\C:\WINNT\system32\Drivers\sddriver.sys []
    S3 SLIP;BDA Slip De-Framer; C:\WINNT\s [2009-03-14 146]
    S3 streamip;BDA IPSink; C:\WINNT\s [2009-03-14 146]
    S3 TAPBIND;TAPBIND; \??\C:\PROGRA~1\MTS\ENTERN~1\app\TAPBIND1.SYS []
    S3 UIUSys;Conexant Setup API; C:\WINNT\s [2009-03-14 146]
    S3 Winacpci;Winacpci; C:\WINNT\S [2009-03-14 146]
    S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\s [2009-03-14 146]
    S4 IntelIde;IntelIde; C:\WINNT\s [2009-03-14 146]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
    R2 NProtectService;Norton Unerase Protection; C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2002-08-14 155648]
    R2 NwSapAgent;SAP Agent; C:\WINNT\S [2009-03-14 146]
    R2 PPPoEService;PPPoE Service; C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe [2000-07-11 69632]
    R2 SimpTcp;Simple TCP/IP Services; C:\WINNT\S [2009-03-14 146]
    R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
    R2 StiSvc;Still Image Service; C:\WINNT\s [2009-03-14 146]
    R2 wfxsvc;WinFax PRO; C:\WINNT\s [2009-03-14 146]
    S2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-05-15 100032]
    S2 Irmon;Irmon; C:\WINNT\S [2009-03-14 146]
    S2 LexBceS;LexBce Server; C:\WINNT\s [2009-03-14 146]
    S2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
    S2 NWCWorkstation;Client Service for NetWare; C:\WINNT\S [2009-03-14 146]
    S2 PGPsdkServ;PGPsdkService; C:\WINNT\s [2009-03-14 146]
    S2 Speed Disk service;Speed Disk service; C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe [2002-08-14 192545]
    S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
    S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-07-27 501048]
    S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-05-15 2086592]
    S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\s [2009-03-14 146]
    S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\S [2009-03-14 146]
    S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]

    -----------------EOF-----------------

    Quote Originally Posted by katana View Post
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    info.txt was not minimized or opened.

  10. #20
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    I have a few other drives (partitions) should I scan those too?

    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-05-02 22:06:33
    Windows 5.0.2195 Service Pack 4


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\services.exe[256] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FF84493
    .text C:\WINNT\system32\services.exe[256] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FF84522
    .text C:\WINNT\system32\services.exe[256] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FF84518
    .text C:\WINNT\system32\services.exe[256] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FF84570
    .text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\System32\svchost.exe[704] C:\WINNT\System32\svchost.exe section is writeable [0x01001000, 0x14A8, 0xE0000060]
    .rsrc C:\WINNT\System32\svchost.exe[704] C:\WINNT\System32\svchost.exe section is executable [0x01004000, 0x6400, 0xE0000040]
    .text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\Explorer.EXE[960] Explorer.EXE 00408199 5 Bytes [FF, 15, 70, 11, 40]
    .text C:\WINNT\Explorer.EXE[960] C:\WINNT\Explorer.EXE section is writeable [0x00401000, 0x19546, 0xE0000060]
    .reloc C:\WINNT\Explorer.EXE[960] C:\WINNT\Explorer.EXE section is executable [0x0043C000, 0x8000, 0xE2000040]
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\Explorer.EXE[960] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text C:\WINNT\Explorer.EXE[960] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
    .text C:\WINNT\system32\svchost.exe[1032] C:\WINNT\system32\svchost.exe section is writeable [0x01001000, 0x14A8, 0xE0000060]
    .rsrc C:\WINNT\system32\svchost.exe[1032] C:\WINNT\system32\svchost.exe section is executable [0x01004000, 0x6400, 0xE0000040]
    .text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\system32\hkcmd.exe[1188] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text C:\WINNT\system32\hkcmd.exe[1188] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\system32\VT100.EXE[1224] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text C:\WINNT\system32\VT100.EXE[1224] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
    .text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
    .text C:\WINNT\system32\mrtMngr.EXE[1420] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
    .text C:\WINNT\system32\mrtMngr.EXE[1420] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
    .text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!WSARecv 7503138E 5 Bytes CALL 7FFA574C
    .text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!WSASend 75031525 5 Bytes CALL 7FFA5650
    .text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!send 75031BCC 5 Bytes JMP 7FFA57EC

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 PGPsdk.sys (PGP Software Development Kit NT Driver/PGP Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [8:160] 8156A470

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINNT\system32\VT100.EXE (*** hidden *** ) 1224
    Library C:\WINNT\system32\VT100.EXE (*** hidden *** ) @ C:\WINNT\system32\VT100.EXE [1224] 0x00400000

    ---- Files - GMER 1.0.15 ----

    File C:\WINNT\system32\VT100.EXE
    File C:\WINNT\system32\mmsg32.DLL
    File C:\WINNT\system32\ms2chk.DLL
    File C:\WINNT\system32\mspnd.DLL
    File C:\WINNT\system32\msdone.DLL
    File C:\Documents and Settings\Administrator\Local Settings\Temp\mmsg32.DLL
    File C:\Documents and Settings\Administrator\Local Settings\Temp\ms2chk.DLL
    File C:\Documents and Settings\Administrator\Local Settings\Temp\mspnd.DLL
    File C:\Documents and Settings\Administrator\Local Settings\Temp\msdone.DLL

    ---- EOF - GMER 1.0.15 ----

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •