Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Win32Trojan.TDSS/others


  • Please log in to reply
38 replies to this topic

#1 kenwayy

kenwayy

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 22 June 2009 - 09:26 PM

This is a nasty one. Spyware Doctor (full version) rarely sees it even on a full deep scan. Ad-aware will see Trojan.TDSS and sometimes Trojan.Agent2. Can't run/install typical anti-virus like trendmicro's site or Malwarebytes', etc. If I can get the program installed it doesn't run. The exe comes up in task manager but no actual GUI. Same for Spybot SD. With SD i can get the tray icon but no actual interface. Spyware Doctor no longer updates nor does Ad-aware, get connection interrupted. I can get rid of the google redirect but most websites still return a failed connection. Also creates an Exe of my username, that's what the sgt.exe is. On start-up/shutdown it will occasionally hang at the login, and every time I get constant DEP windows for usinit/WMI. Sometimes I get data entry failure windows informing me a program has an error because the memory location could not be "read". I will randomly get sound files for random commercials playing for such things like a colonoscopy. Hope you guy can help.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Sgt at 21:00:26.89 on Mon 06/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1194 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Documents and Settings\Sgt\Sgt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Sgt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [Sgt] c:\documents and settings\sgt\Sgt.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [reader_s] c:\documents and settings\administrator\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234521609671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sgtdem~1\applic~1\mozilla\firefox\profiles\99arf6n7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-22 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-16 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-5-16 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-5-16 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-5-16 159600]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-27 10384]
R3 SinoTPM;Driver For SinoSun Trusted Platform Module;c:\windows\system32\drivers\SinoTpm.sys [2006-4-11 30592]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-5-16 33056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-16 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-13 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-13 1095560]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2009-06-22 20:59 24,095 a------- c:\windows\system32\AAWService_2009_06_22_20_59_10.dmp
2009-06-22 20:46 <DIR> --d----- c:\program files\Trend Micro
2009-06-22 20:46 424 a---h--- C:\aaw7boot.cmd
2009-06-22 20:21 <DIR> --d----- C:\spoolerlogs
2009-06-22 19:22 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 19:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 19:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-22 19:11 24,095 a------- c:\windows\system32\AAWService_2009_06_22_19_11_46.dmp
2009-06-22 18:36 22,126 a------- c:\windows\system32\AAWService_2009_06_22_18_36_48.dmp
2009-06-22 18:28 159 a------- c:\windows\2232132.bat
2009-06-22 18:28 39,424 ----h--- c:\windows\ld10.exe
2009-06-22 12:34 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-22 12:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-22 11:56 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-22 11:56 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 11:48 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-22 11:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-22 09:32 136,224 a------- c:\windows\system32\drivers\ethbkknq.sys
2009-06-22 06:49 60,928 a------- c:\documents and settings\sgt\eiyysm.exe
2009-06-22 06:37 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-06-22 06:35 401 a------- c:\documents and settings\sgt\TRHHWI.bat
2009-06-22 06:35 23,040 a------- c:\documents and settings\sgt\XFGNXY.exe
2009-06-22 06:35 82,944 a------- c:\documents and settings\sgt\QOBLWB.exe
2009-06-22 06:30 161,280 ---shr-- c:\documents and settings\sgt\Sgt.exe
2009-06-13 16:52 <DIR> --d----- C:\a
2009-06-11 17:29 41,808 a------- c:\windows\system32\xfcodec.dll
2009-06-08 13:13 137,992 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-08 13:13 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-06-08 13:13 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-06-08 12:16 <DIR> --d----- c:\docume~1\sgtdem~1\applic~1\MySpace
2009-06-08 12:16 <DIR> --d----- c:\program files\MySpace
2009-06-07 05:44 7,680 a--sh--- c:\windows\Thumbs.db
2009-06-05 16:42 <DIR> --d----- c:\program files\common files\INCA Shared
2009-06-04 23:20 <DIR> --d----- c:\program files\HuxleyLite
2009-06-04 22:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ijjigame
2009-06-04 14:18 <DIR> --d----- c:\docume~1\sgtdem~1\applic~1\PureEdge
2009-06-04 14:18 172,032 a------- c:\windows\system32\SSCE5332.dll
2009-06-04 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PureEdge
2009-06-04 14:18 <DIR> --d----- c:\program files\PureEdge
2009-06-04 12:53 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-04 11:28 <DIR> --d----- C:\98bc9495673c04fa95
2009-06-04 11:11 <DIR> --d----- c:\program files\MSXML 4.0
2009-05-31 17:09 <DIR> --d----- c:\program files\AutoHotkey
2009-05-29 20:03 <DIR> --d----- C:\Sierra

==================== Find3M ====================

2009-06-22 18:29 98,304 a------- c:\windows\DUMP83e5.tmp
2009-06-22 14:41 98,304 a------- c:\windows\DUMP590c.tmp
2009-06-22 06:37 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-16 18:03 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-05-10 09:55 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-08 12:26 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-05-08 12:26 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-04-02 08:21 84,480 a------- c:\windows\system32\ff_vfw.dll
2009-03-26 12:19 344,064 a------- c:\windows\system32\AegisI5Installer.exe

============= FINISH: 21:02:47.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 22 June 2009 - 11:08 PM

Hi, kenwayy :thumbup2:

Welcome.

Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 23 June 2009 - 07:43 AM

This was taken in Safe Mode as I couldn't get a normal boot for a while. I can now and I'm running another scan after this. Last try locked up my computer when I tried to save the finished log.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 02:15:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x63 ? 89561BF8
INT 0x73 ? 8A029BF8
INT 0x83 ? 89561BF8
INT 0x83 ? 89561BF8
INT 0x83 ? 89561BF8
INT 0xB4 ? 8A098BF8
INT 0xB4 ? 89561BF8
INT 0xB4 ? 89561BF8
INT 0xB4 ? 8A098BF8

Code 8960E0EE ZwEnumerateKey
Code 8960E0B6 ZwFlushInstructionCache
Code 8942E20D IofCallDriver
Code 8942908D IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8942E212
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 89429092
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 8960E0F2
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8960E0BA
? spcx.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BAD178AC 5 Bytes JMP 895611D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[308] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\services.exe[356] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\lsass.exe[372] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\lsass.exe[372] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1020] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1116] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.reloc C:\WINDOWS\Explorer.EXE[1312] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[1312] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FE8B2]
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C6000A
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C7000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00ED000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WININET.dll!HttpAddRequestHeadersW 780CD015 5 Bytes JMP 00FB000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0107F9F0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01080A60 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 010808A0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01080780 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0107FDA0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1336] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0107FFD0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\vwss10gs.exe[2000] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\vwss10gs.exe[2000] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\vwss10gs.exe[2000] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\vwss10gs.exe[2000] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\vwss10gs.exe[2000] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\vwss10gs.exe[2000] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\vwss10gs.exe[2000] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E1000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A02C2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spcx.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spcx.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spcx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spcx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spcx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spcx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spcx.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 895612D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E8048] spcx.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A0971F8

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\NDIS \Device\Ndis [89582984] NDIS.sys[.reloc]

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\sptd \Device\1982709808 spcx.sys
Device \Driver\usbuhci \Device\USBPDO-0 895601F8
Device \Driver\PCI_PNP7308 \Device\00000051 spcx.sys
Device \Driver\PCI_PNP7308 \Device\00000051 spcx.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A0991F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A0991F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A0991F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A0991F8
Device \Driver\usbuhci \Device\USBPDO-1 895601F8
Device \Driver\usbehci \Device\USBPDO-2 895491F8
Device \Driver\usbuhci \Device\USBPDO-3 895601F8
Device \Driver\usbuhci \Device\USBPDO-4 895601F8
Device \Driver\usbehci \Device\USBPDO-5 895491F8
Device \Driver\usbuhci \Device\USBPDO-6 895601F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A02A1F8
Device \Driver\usbuhci \Device\USBFDO-0 895601F8
Device \Driver\usbuhci \Device\USBFDO-1 895601F8
Device \Driver\usbehci \Device\USBFDO-2 895491F8
Device \Driver\usbuhci \Device\USBFDO-3 895601F8
Device \Driver\usbuhci \Device\USBFDO-4 895601F8
Device \Driver\Ftdisk \Device\FtControl 8A02A1F8
Device \Driver\usbuhci \Device\USBFDO-5 895601F8
Device \Driver\usbehci \Device\USBFDO-6 895491F8
Device \Driver\a28bwr9o \Device\Scsi\a28bwr9o1 8950C500
Device \FileSystem\Cdfs \Cdfs 893891F8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [648] 0x00A80000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [648] 0x00B30000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [812] 0x00A70000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [812] 0x00B20000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1312] 0x00D60000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1336] 0x01070000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETlqleofpl.sys (*** hidden *** ) [SYSTEM] SKYNETucteuuvl <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACsiuwbpkbsbxumnvpf.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060e875a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060e875a5@00249fe3170f 0x88 0x3D 0x18 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@imagepath \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main@aid 10033
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETvfrlciwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETlog.dat \systemroot\system32\SKYNETjqkhiwxj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETxathpgyb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNET.dat \systemroot\system32\SKYNETdoessrnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x9A 0xC8 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x06 0x9D 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x9B 0xD9 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xE7 0x41 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyfqjwhmusovreetaa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpyielwubvdliavhpg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACesqdqmasdpqtoejki.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACbpcehfxhyxfvxjkcf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACobhwrrwostlnfqxad.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACxvbpxelsexnhirmdb.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACahslyykyahoxtuams.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwxiqsuedtexyrbstj.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACatfhyjqpailvkqpyu.log
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060e875a5
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060e875a5@00249fe3170f 0x88 0x3D 0x18 0x92 ...
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@imagepath \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main@aid 10033
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETvfrlciwb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETlog.dat \systemroot\system32\SKYNETjqkhiwxj.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETxathpgyb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNET.dat \systemroot\system32\SKYNETdoessrnh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x9A 0xC8 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x06 0x9D 0x08 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x9B 0xD9 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xE7 0x41 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyfqjwhmusovreetaa.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpyielwubvdliavhpg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACesqdqmasdpqtoejki.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACbpcehfxhyxfvxjkcf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACobhwrrwostlnfqxad.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACxvbpxelsexnhirmdb.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACahslyykyahoxtuams.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwxiqsuedtexyrbstj.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACatfhyjqpailvkqpyu.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacthqsxwulkwvtdenkh.dll.8f64756049a5187f0355adf45677239.aawqff 66564 bytes
File C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacxxyvbftpdmrxnsidu.dll.f376ca4a672e76102b96ef6c3247e0.aawqff 30212 bytes
File C:\Documents and Settings\Sgt\Local Settings\Temp\UAC9c17.tmp 343040 bytes executable
File C:\Program Files\Common Files\Pure Networks Shared\Platform\purendis\purendis.sys (size mismatch) 25272/182656 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\SKYNETdoessrnh.dat 93 bytes
File C:\WINDOWS\system32\SKYNETjqkhiwxj.dat 72181 bytes
File C:\WINDOWS\system32\SKYNETvfrlciwb.dll 43008 bytes executable
File C:\WINDOWS\system32\SKYNETxathpgyb.dll 19456 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\drivers\purendis.sys (size mismatch) 25272/182656 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\SKYNETlqleofpl.sys 68096 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\UACsiuwbpkbsbxumnvpf.sys 51712 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\DRVSTORE\purendis_8B58769457D6A73C97495B8B0954E2612055C834\purendis.sys (size mismatch) 25272/182656 bytes executable
File C:\WINDOWS\system32\UACahslyykyahoxtuams.log 40852 bytes
File C:\WINDOWS\system32\UACbpcehfxhyxfvxjkcf.dll 17408 bytes executable
File C:\WINDOWS\system32\UACesqdqmasdpqtoejki.dll 19968 bytes executable
File C:\WINDOWS\system32\uacinit.dll 6270 bytes
File C:\WINDOWS\system32\UACobhwrrwostlnfqxad.dll 19456 bytes executable
File C:\WINDOWS\system32\UACpyielwubvdliavhpg.dat 224 bytes
File C:\WINDOWS\system32\UACthqsxwulkwvtdenkh.dll 66560 bytes
File C:\WINDOWS\system32\uactmp.db 3976714 bytes
File C:\WINDOWS\system32\UACxvbpxelsexnhirmdb.db 1110399 bytes
File C:\WINDOWS\system32\UACxxyvbftpdmrxnsidu.dll 30208 bytes executable
File C:\WINDOWS\system32\UACyfqjwhmusovreetaa.dll 23552 bytes executable
File C:\WINDOWS\Temp\SKYNETavtmgyibyt.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETiqjismnwmq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETkvpwlxrhem.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETnylbefvecq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETqxnsmnbvsf.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETsmcujyxcdx.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETsrrcpjqvvc.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtabvpesvjq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtivnlnsmjn.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETttyexmduxt.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxfwqijfanw.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxmexnnenkr.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxouxdsivtv.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxpbuxyyugq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxpfcxrhuex.tmp 20992 bytes executable
File C:\WINDOWS\Temp\UAC4bcd.tmp 66560 bytes
File C:\WINDOWS\Temp\SKYNETqxvbvpfdbd.tmp 20992 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\DRIVERS\purendis.sys [AUTO] purendis <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#4 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 23 June 2009 - 09:52 AM

Complete log done on normal boot.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 09:46:59
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x63 ? 8950CBF8
INT 0x63 ? 8950CBF8
INT 0x63 ? 8950CBF8
INT 0x73 ? 8A093BF8
INT 0x73 ? 8A093BF8
INT 0x73 ? 8A093BF8
INT 0x83 ? 8950CBF8
INT 0x83 ? 8950CBF8
INT 0x83 ? 8950CBF8
INT 0xB4 ? 8A104BF8
INT 0xB4 ? 8950CBF8
INT 0xB4 ? 8950CBF8

Code 890C7E36 ZwEnumerateKey
Code 890C6AD6 ZwFlushInstructionCache
Code 88F9B10D IofCallDriver
Code 890DEBA5 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 88F9B112
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 890DEBAA
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 890C6ADA
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 890C7E3A
? spaq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B867F8AC 5 Bytes JMP 8950C1D8
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[420] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dll
.text C:\WINDOWS\System32\svchost.exe[420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\System32\svchost.exe[420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\System32\svchost.exe[420] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\System32\svchost.exe[420] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\System32\svchost.exe[420] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\System32\svchost.exe[420] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[480] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 2 Bytes CALL 00810001
.text C:\WINDOWS\system32\svchost.exe[480] kernel32.dll!LoadLibraryExW + C7 7C801BBC 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 2 Bytes CALL 00810001
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!LoadLibraryExW + C7 7C801BBC 1 Byte [84]
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\rundll32.exe[636] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\rundll32.exe[636] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B60001
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\spoolsv.exe[736] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\spoolsv.exe[736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A60001
.reloc C:\WINDOWS\explorer.exe[760] C:\WINDOWS\explorer.exe section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\explorer.exe[760] C:\WINDOWS\explorer.exe entry point in ".reloc" section [0x010FE8B2]
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\explorer.exe[760] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C7000A
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0270000A
.text C:\WINDOWS\RTHDCPL.EXE[812] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0271000A
.text C:\WINDOWS\RTHDCPL.EXE[812] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 05F20001
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0179000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 017A000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 021C0001
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B4000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B10001
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0167000A
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0168000A
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01F20001
.text C:\WINDOWS\system32\csrss.exe[1080] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01010001
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D3000A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D4000A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02160001
.text C:\WINDOWS\system32\winlogon.exe[1104] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\services.exe[1156] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\WINDOWS\system32\lsass.exe[1172] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00700001
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0102000A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0103000A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 072E0001
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 01B0000A
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 01B1000A
.text C:\Documents and Settings\Sgt\Sgt.exe[1524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01E40001
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 016F000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0170000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01F60001
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 039C0001
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 010B000A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 010C000A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01FE0001
.text C:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1916] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0177000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 0182000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WININET.dll!HttpAddRequestHeadersW 780CD015 5 Bytes JMP 0190000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 019CF9F0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019D0A60 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 019D08A0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019D0780 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 019CFDA0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1944] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019CFFD0 \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
? C:\WINDOWS\System32\svchost.exe[2184] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[2184] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\System32\svchost.exe[2184] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\System32\svchost.exe[2184] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\System32\svchost.exe[2184] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\System32\svchost.exe[2184] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\System32\svchost.exe[2184] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\nvsvc32.exe[2680] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\nvsvc32.exe[2680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E90001
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A2000A
.text C:\WINDOWS\System32\alg.exe[2724] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A3000A
.text C:\WINDOWS\System32\alg.exe[2724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CD0001
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 016C000A
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 016D000A
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 036A0001
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[3320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[3320] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DC0001
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AC000A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 022D0001
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0183000A
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0184000A
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02C10001
? C:\WINDOWS\System32\svchost.exe[3632] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[3632] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\System32\svchost.exe[3632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\System32\svchost.exe[3632] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\System32\svchost.exe[3632] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\System32\svchost.exe[3632] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\System32\svchost.exe[3632] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\PnkBstrA.exe[3772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01270001
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\PnkBstrB.exe[3808] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012F0001
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B4000A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B5000A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01340001
.text C:\vwss10gs.exe[4704] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\vwss10gs.exe[4704] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\vwss10gs.exe[4704] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\vwss10gs.exe[4704] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\vwss10gs.exe[4704] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\vwss10gs.exe[4704] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\vwss10gs.exe[4704] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0176000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spaq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spaq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spaq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spaq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spaq.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spaq.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DDEAE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DD6AAF] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DD6FFF] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DDD767] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DD6C27] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DD7852] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [77DDE9F4] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [77DD7ABB] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 00000000
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [77F15FE0] C:\WINDOWS\system32\GDI32.dll (GDI Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [77F1700A] C:\WINDOWS\system32\GDI32.dll (GDI Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [77F16F79] C:\WINDOWS\system32\GDI32.dll (GDI Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [77F15B70] C:\WINDOWS\system32\GDI32.dll (GDI Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C838E18] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C80D302] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C80B8C9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C809AF1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C809B84] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C81116B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C812847] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C80DE95] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C801E1A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C80B56F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C812FD9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C84495D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C863FCA] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C9104DD] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C809C65] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C8097E0] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C80E4DD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] [7C80B741] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [7C80BA71] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [7C92ABC5] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7C80BEA1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [7C8101B1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [7C802446] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [7C809BE7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [7C80EABB] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [7C80934A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [7C80BB04] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [7C809AA9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] [7C801812] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C810B17] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [7C90FE21] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] [7C810E27] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [7C810FD2] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] [7C80BE56] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] [7C810800] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [7C834D71] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] [7C802530] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] [7C814B92] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] [7C80A174] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [7C809C98] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [7C830D7C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [7C80E88C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [7C80176F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [7C813851] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] [7C831EDD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] [7C80EE77] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] [7C834EE1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] [7C813879] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] [7C812AA9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] [7C80AA6C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] [7C80BB41] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [7C9010E0] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [7C901000] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] [7C80A0B7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] [7C80982E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [7C809842] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] [7C8308B5] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [7C809F91] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[420] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] [7C8106D7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\svchost.exe[480] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[480] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[480] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[480] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[480] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[480] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[480] @ c:\windows\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[636] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[636] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[636] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[636] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[636] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[736] @ C:\WINDOWS\system32\netapi32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[812] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[812] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[812] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[812] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[812] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[920] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[940] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[940] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[940] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[940] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[940] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1000] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\userenv.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1084] @ C:\WINDOWS\system32\netapi32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1104] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1172] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1288] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ c:\windows\system32\rpcss.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ c:\windows\system32\rpcss.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1436] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1504] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Documents and Settings\Sgt\Sgt.exe[1524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Documents and Settings\Sgt\Sgt.exe[1524] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Documents and Settings\Sgt\Sgt.exe[1524] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Documents and Settings\Sgt\Sgt.exe[1524] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Documents and Settings\Sgt\Sgt.exe[1524] @ C:\WINDOWS\system32\shell32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Documents and Settings\Sgt\Sgt.exe[1524] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[1560] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1608] @ c:\windows\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1664] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1916] @ c:\windows\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 3CE90043
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D0
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D02EE8
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D3ADE856
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [5D10C483] C:\WINDOWS\system32\comctl32.dll (Common Controls Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01D8A9E8
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 021EF5E8
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] FDE8F075
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001CE
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] A7E8C68B
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C200021F
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] CB9006C7
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] BAE80043
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 90E95ECE
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] D2F9E856
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 9C01C700
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E90043CB
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 43CB9C06
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] CCE85607
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590001D2
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 436A7DB8
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 1E4CE800
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0001CEC7
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 43CB9006
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 021EF9E8
IAT C:\WINDOWS\System32\svchost.exe[2184] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[2680] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[2724] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[2724] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[2724] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[2724] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[2724] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[2892] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[3320] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\userenv.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\netapi32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[3400] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[3600] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 3CE90043
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D0
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D02EE8
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D3ADE856
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [5D10C483] C:\WINDOWS\system32\comctl32.dll (Common Controls Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01D8A9E8
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 021EF5E8
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] FDE8F075
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001CE
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] A7E8C68B
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C200021F
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] CB9006C7
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] BAE80043
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 90E95ECE
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] D2F9E856
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 9C01C700
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E90043CB
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 43CB9C06
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] CCE85607
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590001D2
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 436A7DB8
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 1E4CE800
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0001CEC7
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 43CB9006
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 021EF9E8
IAT C:\WINDOWS\System32\svchost.exe[3632] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\system32\PnkBstrA.exe[3772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[3772] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[3772] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[3772] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[3772] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[3808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[3808] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[3808] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[3808] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[3808] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[3808] @ C:\WINDOWS\system32\Iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3996] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A1031F8

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\NetBT \Device\NetBT_Tcpip_{045C65B0-5D89-4FA6-BEF4-5BE2B621C737} 89188500
Device \Driver\NDIS \Device\Ndis [895FE984] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8950B1F8
Device \Driver\PCI_PNP2252 \Device\00000051 spaq.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A1051F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A1051F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A1051F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A1051F8
Device \Driver\usbuhci \Device\USBPDO-1 8950B1F8
Device \Driver\usbehci \Device\USBPDO-2 8943A1F8
Device \Driver\usbuhci \Device\USBPDO-3 8950B1F8
Device \Driver\usbuhci \Device\USBPDO-4 8950B1F8

AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\usbehci \Device\USBPDO-5 8943A1F8
Device \Driver\usbuhci \Device\USBPDO-6 8950B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A0941F8
Device \Driver\BTHUSB \Device\000000a5 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a5 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{440B4971-E933-4F07-9CD6-3800E303C7EE} 89188500
Device \Driver\BTHUSB \Device\000000a7 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a7 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\sptd \Device\2777204752 spaq.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 89188500
Device \Driver\NetBT \Device\NetBT_Tcpip_{56C5AA26-CF75-4BA7-996C-EA7876AF348E} 89188500
Device \Driver\NetBT \Device\NetbiosSmb 89188500

AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\NetBT \Device\NetBT_Tcpip_{958F4F78-93E3-441B-B1C6-85251AD6A2A7} 89188500

AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\usbuhci \Device\USBFDO-0 8950B1F8
Device \Driver\usbuhci \Device\USBFDO-1 8950B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85FD41F8
Device \Driver\usbehci \Device\USBFDO-2 8943A1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85FD41F8
Device \Driver\usbuhci \Device\USBFDO-3 8950B1F8
Device \Driver\usbuhci \Device\USBFDO-4 8950B1F8
Device \Driver\Ftdisk \Device\FtControl 8A0941F8
Device \Driver\usbuhci \Device\USBFDO-5 8950B1F8
Device \Driver\usbehci \Device\USBFDO-6 8943A1F8
Device \Driver\aksceiuy \Device\Scsi\aksceiuy1 89382500
Device \FileSystem\Cdfs \Cdfs 85F06500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [420] 0x019A0000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [420] 0x01A50000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [480] 0x00A60000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [480] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [596] 0x00A60000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [596] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [760] 0x00D60000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1288] 0x00A90000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1288] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1348] 0x034A0000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1436] 0x00A90000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1436] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1608] 0x00A80000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1608] 0x00B30000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1916] 0x00A90000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1916] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1944] 0x019C0000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2184] 0x00BC0000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2184] 0x00C70000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3320] 0x00A60000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3320] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [3632] 0x00BA0000
Library \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [3632] 0x00C50000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETlqleofpl.sys (*** hidden *** ) [SYSTEM] SKYNETucteuuvl <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACsiuwbpkbsbxumnvpf.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060e875a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060e875a5@00249fe3170f 0x88 0x3D 0x18 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl@imagepath \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main@aid 10033
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETvfrlciwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETlog.dat \systemroot\system32\SKYNETjqkhiwxj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETxathpgyb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETucteuuvl\modules@SKYNET.dat \systemroot\system32\SKYNETdoessrnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x9A 0xC8 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x06 0x9D 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x9B 0xD9 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xE7 0x41 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyfqjwhmusovreetaa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpyielwubvdliavhpg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACesqdqmasdpqtoejki.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACbpcehfxhyxfvxjkcf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACobhwrrwostlnfqxad.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACxvbpxelsexnhirmdb.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACahslyykyahoxtuams.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwxiqsuedtexyrbstj.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACatfhyjqpailvkqpyu.log
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060e875a5
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060e875a5@00249fe3170f 0x88 0x3D 0x18 0x92 ...
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl@imagepath \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main@aid 10033
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlqleofpl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETvfrlciwb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETlog.dat \systemroot\system32\SKYNETjqkhiwxj.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETxathpgyb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETucteuuvl\modules@SKYNET.dat \systemroot\system32\SKYNETdoessrnh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x9A 0xC8 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x06 0x9D 0x08 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x9B 0xD9 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xE7 0x41 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACsiuwbpkbsbxumnvpf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyfqjwhmusovreetaa.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpyielwubvdliavhpg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACesqdqmasdpqtoejki.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACbpcehfxhyxfvxjkcf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACobhwrrwostlnfqxad.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACxvbpxelsexnhirmdb.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACxxyvbftpdmrxnsidu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACthqsxwulkwvtdenkh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACahslyykyahoxtuams.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwxiqsuedtexyrbstj.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACatfhyjqpailvkqpyu.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacthqsxwulkwvtdenkh.dll.8f64756049a5187f0355adf45677239.aawqff 66564 bytes
File C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacxxyvbftpdmrxnsidu.dll.f376ca4a672e76102b96ef6c3247e0.aawqff 30212 bytes
File C:\Documents and Settings\Sgt\Local Settings\Temp\UAC9c17.tmp 343040 bytes executable
File C:\Program Files\Common Files\Pure Networks Shared\Platform\purendis\purendis.sys (size mismatch) 25272/182656 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\SKYNETdoessrnh.dat 93 bytes
File C:\WINDOWS\system32\SKYNETjqkhiwxj.dat 93793 bytes
File C:\WINDOWS\system32\SKYNETvfrlciwb.dll 43008 bytes executable
File C:\WINDOWS\system32\SKYNETxathpgyb.dll 19456 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\drivers\purendis.sys (size mismatch) 25272/182656 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\SKYNETlqleofpl.sys 68096 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\UACsiuwbpkbsbxumnvpf.sys 51712 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\DRVSTORE\purendis_8B58769457D6A73C97495B8B0954E2612055C834\purendis.sys (size mismatch) 25272/182656 bytes executable
File C:\WINDOWS\system32\UACahslyykyahoxtuams.log 44093 bytes
File C:\WINDOWS\system32\UACbpcehfxhyxfvxjkcf.dll 17408 bytes executable
File C:\WINDOWS\system32\UACesqdqmasdpqtoejki.dll 19968 bytes executable
File C:\WINDOWS\system32\uacinit.dll 6270 bytes
File C:\WINDOWS\system32\UACobhwrrwostlnfqxad.dll 19456 bytes executable
File C:\WINDOWS\system32\UACpyielwubvdliavhpg.dat 224 bytes
File C:\WINDOWS\system32\UACthqsxwulkwvtdenkh.dll 66560 bytes
File C:\WINDOWS\system32\uactmp.db 3976714 bytes
File C:\WINDOWS\system32\UACxvbpxelsexnhirmdb.db 1110399 bytes
File C:\WINDOWS\system32\UACxxyvbftpdmrxnsidu.dll 30208 bytes executable
File C:\WINDOWS\system32\UACyfqjwhmusovreetaa.dll 23552 bytes executable
File C:\WINDOWS\Temp\SKYNETsmcujyxcdx.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETsrrcpjqvvc.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtabvpesvjq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtivnlnsmjn.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETttyexmduxt.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxfwqijfanw.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxmexnnenkr.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxouxdsivtv.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxpbuxyyugq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxpfcxrhuex.tmp 20992 bytes executable
File C:\WINDOWS\Temp\UAC4921.tmp 66560 bytes
File C:\WINDOWS\Temp\UAC4bcd.tmp 66560 bytes
File C:\WINDOWS\Temp\SKYNETavtmgyibyt.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETcentssdlup.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETiqjismnwmq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETkvpwlxrhem.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETnylbefvecq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETqxnsmnbvsf.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETqxvbvpfdbd.tmp 20992 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\DRIVERS\purendis.sys (NDIS Relay Driver/Pure Networks, Inc.) [AUTO] purendis <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 23 June 2009 - 12:26 PM

Hi, kenwayy :thumbup2:

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Do not run the application yet. If already in the system, skip this download.


Please download ComboFix from Here or Here to your Desktop. Do not run the application yet.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat file. The MSDOS window will be displayed and the computer will restart. Upon a restart, follow these steps.

Double Click mbam-setup.exe to install the application. (If already installed, launch Malwarebytes' Anti-Malware, update and jumpt to step 3)
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Run Combofix as follows:
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new DDS log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

__________________________


Edited by JSntgRvr, 23 June 2009 - 12:27 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 June 2009 - 08:09 AM

Here's how it went.

Could not download malware bytes from your link because of the redirecting portion of the virus. However previously I had been able to install is so I went with that install.

The XUAC Fix worked in that I could now run Malwarebytes, however when I tried to update I got the following error code:

Posted Image

Being unable to update I continued on. Malwarebytes found several "bad" items and I removed them all. Here is the error report:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/23/2009 14:29:41
mbam-log-2009-06-23 (14-29-41).txt

Scan type: Quick Scan
Objects scanned: 102393
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\reader_s.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACbpcehfxhyxfvxjkcf.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACesqdqmasdpqtoejki.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACobhwrrwostlnfqxad.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACthqsxwulkwvtdenkh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACxxyvbftpdmrxnsidu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\UAC4bcd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\VRT4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\VRTB3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\8HEVCXIR\abb[1].txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\sgt\local settings\temporary internet files\Content.IE5\KT804IZR\abb[1].txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACyfqjwhmusovreetaa.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACsiuwbpkbsbxumnvpf.sys (Trojan.Agent) -> Quarantined and deleted successfully.


----------------------------------------------

When I originally tried to run combofix I got an error stating that windows DEP has stopped "Run DLL as an APP" error. I have gotten numerous warnings like this most commonly on startup and generally for USERINIT or WMI errors. Double clicking on combofix again, while the DEP error window was still up, I was able to bypass the warning and combofix started to run. Combofix found the following rootkits:
C:windows\system32\drivers\SKYNETlqleofpl.sys
C:windows\system32\drivers\UACxqdltsewmaloaiwtb.sys
C:windows\system32\UACowwrviqquuqfejnix.dll

After installing the Recovery Console combofix required a restart. Upon rebooting combofix said it was preparing the final report. However after leaving my computer for over 2 hours at that screen nothing happened. When I attempted to open Task Manager the DEP window appeared, when I tried again Combofix came up as a non-responsive window, I was unable to get it to recover or produce any final report. Attempting to start over completely has produced roughly the same results except when I try to run combofix I am informed it is possibly corrupt and will not run. The only combofix.txt file I could find is in the C:\Combfix\Combofix.txt. Here is what it contains:

ComboFix 09-06-22.0E - Sgt 06/23/2009 14:51:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1602 [GMT -5:00]
Running from: C:\Documents and Settings\Sgt\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

--------------------------------------------------------------------


I should note that the iexplorer.exe that keeps popping up is part of the virus as I never use IE.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 24 June 2009 - 09:20 AM

Hi, kenwayy :thumbup2:

When you ran the XUAC_Fix, was there a zipped file created on your desktop, Catchme.zip ?

Please remove the version of Combofix present in your computer, then follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 June 2009 - 09:40 AM

I am unable to run Combofix. Because I am still having problems getting some webpages to load up (either redirect or failure to find page) the best instructions I could get for uninstalling combofix was to type in combofix /u, however win xp didn't recognize this command. The best I could do was remove the C:\Combofix and temp dir it made. Every time i try to run combofix I get warned that the copy is bad and possibly infected then it auto-deletes itself.


Edit:

Yes a catchme.zip folder was created on my desktop with what appears to be several of the infected files

Edited by kenwayy, 24 June 2009 - 09:41 AM.


#9 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 June 2009 - 10:27 AM

Here is a Hijack This readout as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:35, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld10.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234521609671
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\WINDOWS\system32\CF256.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 8942 bytes

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 24 June 2009 - 12:48 PM

Please submit the zipped file file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message, and let me know when done.

I may have to tailor the fix once again. Please run GMER (First file I asked you to download and note its name) and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 24 June 2009 - 12:53 PM

PS:

Every time i try to run combofix I get warned that the copy is bad and possibly infected then it auto-deletes itself.


I am concern with this message. Usually appears when a Virut infection is present.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 June 2009 - 01:01 PM

I had been able to successfully run combofix twice, not sure why.

I have submitted the catchme.zip file as well as sent important information to you in a PM. Thank you for the help you've given me so far by the way.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 24 June 2009 - 01:33 PM

I had been able to successfully run combofix twice, not sure why.

I have submitted the catchme.zip file as well as sent important information to you in a PM. Thank you for the help you've given me so far by the way.

Good. Please post Combofix's report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 kenwayy

kenwayy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 June 2009 - 02:43 PM

Sorry, I should have clarified. I was able to run combofix, but not to completion. The first time it ran all the way through until I presume the final window, which hung up/crashed and after 2 hours I had to hard reboot. The closest I could find to a report was the C:\Combofix\Combofix.txt file which I have posted above, however it didn't contain much information. I can only assume the program crashed as it was compiling the report.

Edit: The 2nd time i ran the program it detected a rootkit and asked to reboot. On reboot windows XP stalled at a black screen after the loading logo and all I had was a mouse cursor. Upon hard reboot combofix gave me the error described before.


Here is the GMER report I just ran:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 14:37:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x63 ? 89473BF8
INT 0x63 ? 89473BF8
INT 0x63 ? 89473BF8
INT 0x73 ? 8A06CBF8
INT 0x73 ? 8A06CBF8
INT 0x73 ? 8A06CBF8
INT 0x83 ? 89473BF8
INT 0x83 ? 89473BF8
INT 0x83 ? 89473BF8
INT 0xB4 ? 8A0DCBF8
INT 0xB4 ? 89473BF8
INT 0xB4 ? 89473BF8

---- Kernel code sections - GMER 1.0.15 ----

? spjz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B97C48AC 5 Bytes JMP 894731D8
.text ajmuwclo.SYS B947B386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ajmuwclo.SYS B947B3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ajmuwclo.SYS B947B3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ajmuwclo.SYS B947B3C9 1 Byte [2E]
.text ajmuwclo.SYS B947B3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\PnkBstrB.exe[172] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\PnkBstrB.exe[172] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\PnkBstrB.exe[172] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\PnkBstrB.exe[172] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\PnkBstrB.exe[172] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\PnkBstrB.exe[172] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\PnkBstrB.exe[172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D60001
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 06C60001
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Java\jre6\bin\jqs.exe[512] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014D0001
.text C:\WINDOWS\system32\rundll32.exe[576] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\rundll32.exe[576] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\rundll32.exe[576] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\rundll32.exe[576] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\rundll32.exe[576] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\rundll32.exe[576] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\rundll32.exe[576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E80001
.text C:\WINDOWS\system32\nvsvc32.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\nvsvc32.exe[600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\nvsvc32.exe[600] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\nvsvc32.exe[600] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\nvsvc32.exe[600] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\nvsvc32.exe[600] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\nvsvc32.exe[600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F90001
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02860001
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text C:\WINDOWS\RTHDCPL.EXE[776] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\RTHDCPL.EXE[776] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\RTHDCPL.EXE[776] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\RTHDCPL.EXE[776] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\RTHDCPL.EXE[776] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\RTHDCPL.EXE[776] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\RTHDCPL.EXE[776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 05140001
.text C:\WINDOWS\system32\spoolsv.exe[912] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\spoolsv.exe[912] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\spoolsv.exe[912] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\spoolsv.exe[912] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\spoolsv.exe[912] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\spoolsv.exe[912] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\spoolsv.exe[912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EF0001
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\PnkBstrA.exe[1072] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02E50001
.text C:\WINDOWS\system32\winlogon.exe[1112] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\winlogon.exe[1112] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\winlogon.exe[1112] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\winlogon.exe[1112] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\winlogon.exe[1112] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\winlogon.exe[1112] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\winlogon.exe[1112] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\services.exe[1156] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\services.exe[1156] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\WINDOWS\system32\lsass.exe[1168] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF94775
.text C:\WINDOWS\system32\lsass.exe[1168] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94804
.text C:\WINDOWS\system32\lsass.exe[1168] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94811
.text C:\WINDOWS\system32\lsass.exe[1168] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94A95
.text C:\WINDOWS\system32\lsass.exe[1168] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF947FA
.text C:\WINDOWS\system32\lsass.exe[1168] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF94852
.text C:\WINDOWS\system32\lsass.exe[1168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C50001
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006B0001
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007A0001
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007F0001
.text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\System32\svchost.exe[1744] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02C60001
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C20001
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01010001
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01290001
.text C:\WINDOWS\system32\svchost.exe[1932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1932] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1932] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1932] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1932] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 008B0001
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01D20001
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[1988] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00920001
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BA0001
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01450001
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012B0001
.text C:\WINDOWS\System32\alg.exe[3048] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\System32\alg.exe[3048] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\System32\alg.exe[3048] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\System32\alg.exe[3048] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\System32\alg.exe[3048] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\System32\alg.exe[3048] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\System32\alg.exe[3048] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A30001
.reloc C:\WINDOWS\Explorer.EXE[3880] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[3880] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FE8B2]
.text C:\WINDOWS\Explorer.EXE[3880] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\WINDOWS\Explorer.EXE[3880] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\WINDOWS\Explorer.EXE[3880] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\WINDOWS\Explorer.EXE[3880] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\WINDOWS\Explorer.EXE[3880] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\WINDOWS\Explorer.EXE[3880] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01EE0001
.text C:\vwss10gs.exe[3952] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4775
.text C:\vwss10gs.exe[3952] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4804
.text C:\vwss10gs.exe[3952] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4811
.text C:\vwss10gs.exe[3952] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A95
.text C:\vwss10gs.exe[3952] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47FA
.text C:\vwss10gs.exe[3952] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA4852
.text C:\vwss10gs.exe[3952] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spjz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spjz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spjz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spjz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spjz.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spjz.sys
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\ajmuwclo.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\PnkBstrB.exe[172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[172] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[172] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[172] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrB.exe[172] @ C:\WINDOWS\system32\Iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[440] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[512] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[512] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[512] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Java\jre6\bin\jqs.exe[512] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[576] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[576] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[576] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\rundll32.exe[576] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\nvsvc32.exe[600] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[632] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ c:\windows\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[660] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[776] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[776] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[776] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\RTHDCPL.EXE[776] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\spoolsv.exe[912] @ C:\WINDOWS\system32\netapi32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[1072] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[1072] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\PnkBstrA.exe[1072] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\winlogon.exe[1112] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\services.exe[1156] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\lsass.exe[1168] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1292] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1292] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1292] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1292] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1292] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ c:\windows\system32\rpcss.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1332] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1364] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ c:\windows\system32\rpcss.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1456] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1456] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1456] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1456] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1456] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\userenv.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\netapi32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[1532] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\svchost.exe[1744] @ c:\windows\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1800] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1880] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1884] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1932] @ c:\windows\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\userenv.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\netapi32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1944] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1988] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1988] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1988] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1988] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1988] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[1988] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\system32\svchost.exe[2012] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2312] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\Program Files\Logitech\SetPoint\SetPoint.exe[2328] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[3048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[3048] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[3048] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[3048] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[3048] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\System32\alg.exe[3048] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\NETAPI32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\USERENV.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\iphlpapi.dll [ntdll.dll!NtCreateFile] 5F170000
IAT C:\WINDOWS\Explorer.EXE[3880] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtCreateFile] 5F170000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A0DB1F8

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\NetBT \Device\NetBT_Tcpip_{045C65B0-5D89-4FA6-BEF4-5BE2B621C737} 85F541F8

AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 894711F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A0DD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A0DD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A0DD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A0DD1F8
Device \Driver\usbuhci \Device\USBPDO-1 894711F8
Device \Driver\usbehci \Device\USBPDO-2 894511F8
Device \Driver\usbuhci \Device\USBPDO-3 894711F8
Device \Driver\usbuhci \Device\USBPDO-4 894711F8
Device \Driver\PCI_PNP3868 \Device\00000055 spjz.sys

AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\usbehci \Device\USBPDO-5 894511F8
Device \Driver\usbuhci \Device\USBPDO-6 894711F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A06D1F8
Device \Driver\Cdrom \Device\CdRom0 894201F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{440B4971-E933-4F07-9CD6-3800E303C7EE} 85F541F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85F541F8
Device \Driver\BTHUSB \Device\000000a9 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a9 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{56C5AA26-CF75-4BA7-996C-EA7876AF348E} 85F541F8
Device \Driver\NetBT \Device\NetbiosSmb 85F541F8
Device \Driver\sptd \Device\3073720118 spjz.sys

AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\NetBT \Device\NetBT_Tcpip_{958F4F78-93E3-441B-B1C6-85251AD6A2A7} 85F541F8

AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\usbuhci \Device\USBFDO-0 894711F8
Device \Driver\BTHUSB \Device\000000ab bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000ab bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBFDO-1 894711F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8913C1F8
Device \Driver\usbehci \Device\USBFDO-2 894511F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8913C1F8
Device \Driver\usbuhci \Device\USBFDO-3 894711F8
Device \Driver\usbuhci \Device\USBFDO-4 894711F8
Device \Driver\Ftdisk \Device\FtControl 8A06D1F8
Device \Driver\usbuhci \Device\USBFDO-5 894711F8
Device \Driver\usbehci \Device\USBFDO-6 894511F8
Device \Driver\ajmuwclo \Device\Scsi\ajmuwclo1 893741F8
Device \FileSystem\Cdfs \Cdfs 8911A1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060e875a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060e875a5@00249fe3170f 0x88 0x3D 0x18 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x9A 0xC8 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x06 0x9D 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x9B 0xD9 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xE7 0x41 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060e875a5
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060e875a5@00249fe3170f 0x88 0x3D 0x18 0x92 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x9A 0xC8 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x06 0x9D 0x08 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x9B 0xD9 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xE7 0x41 0x44 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Edited by kenwayy, 24 June 2009 - 02:45 PM.


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 PM

Posted 24 June 2009 - 03:04 PM

Hi, kenwayy :thumbup2:

How long have you being experiencing these problems?

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t


The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

Download OTS.exe by OldTimer to your Desktop.
  • Close any open browsers.
  • Double-click on OTS.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
    • Under Additional Scans, click on the "Extra" button.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users