GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-13 17:31:55 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3808110AS rev.2AAA 74,53GB Running: e9n8h4i4.exe; Driver: C:\DOCUME~1\KONTRAST\USTAWI~1\Temp\kfaorpod.sys ---- System - GMER 2.1 ---- INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys A00B616D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys A00B5FC2 ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x9FB3E400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9FBE0420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9FBE0420] .protect˙˙˙˙hardlockunknown last code section [0x9FBE0200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x9FBE0200, 0x5049, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[288] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\winlogon.exe[288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\winlogon.exe[288] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\winlogon.exe[288] WS2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\winlogon.exe[288] WS2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\winlogon.exe[288] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\winlogon.exe[288] WS2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\winlogon.exe[288] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\services.exe[340] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\services.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\services.exe[340] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\services.exe[340] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\services.exe[340] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\services.exe[340] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\services.exe[340] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\services.exe[340] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\lsass.exe[352] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\lsass.exe[352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\lsass.exe[352] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\lsass.exe[352] WS2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\lsass.exe[352] WS2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\lsass.exe[352] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\lsass.exe[352] WS2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\lsass.exe[352] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\svchost.exe[528] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\svchost.exe[528] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\svchost.exe[528] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\svchost.exe[528] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[528] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[528] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\System32\svchost.exe[616] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\System32\svchost.exe[616] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\System32\svchost.exe[616] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\System32\svchost.exe[616] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\System32\svchost.exe[616] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\System32\svchost.exe[616] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\System32\svchost.exe[616] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\spoolsv.exe[704] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\spoolsv.exe[704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\spoolsv.exe[704] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\spoolsv.exe[704] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\spoolsv.exe[704] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\spoolsv.exe[704] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\spoolsv.exe[704] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\spoolsv.exe[704] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[896] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Documents and Settings\KONTRAST\reader_s.exe[968] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[972] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\svchost.exe[1092] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\svchost.exe[1092] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\svchost.exe[1092] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[1092] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[1092] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\Explorer.EXE[1104] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\Explorer.EXE[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\Explorer.EXE[1104] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\Explorer.EXE[1104] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\Explorer.EXE[1104] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\Explorer.EXE[1104] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\Explorer.EXE[1104] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\Explorer.EXE[1104] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1200] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\pdfforge Toolbar\SearchSettings.exe[1244] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Eset\nod32krn.exe[1352] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Eset\nod32krn.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Eset\nod32krn.exe[1352] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Eset\nod32krn.exe[1352] WS2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Eset\nod32krn.exe[1352] WS2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Eset\nod32krn.exe[1352] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Eset\nod32krn.exe[1352] WS2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Eset\nod32krn.exe[1352] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\svchost.exe[1412] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\svchost.exe[1412] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\svchost.exe[1412] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[1412] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[1412] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\hkcmd.exe[1428] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10023DF0 .text C:\WINDOWS\system32\hkcmd.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10023C38 .text C:\WINDOWS\system32\hkcmd.exe[1428] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10023E74 .text C:\WINDOWS\system32\hkcmd.exe[1428] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10023AEC .text C:\WINDOWS\system32\hkcmd.exe[1428] ws2_32.dll!send 71A54C27 5 Bytes JMP 10023260 .text C:\WINDOWS\system32\hkcmd.exe[1428] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100227F4 .text C:\WINDOWS\system32\hkcmd.exe[1428] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10022788 .text C:\WINDOWS\system32\hkcmd.exe[1428] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10023A98 .text C:\WINDOWS\system32\igfxpers.exe[1444] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\igfxpers.exe[1444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\igfxpers.exe[1444] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\igfxpers.exe[1444] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\igfxpers.exe[1444] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\igfxpers.exe[1444] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\igfxpers.exe[1444] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\igfxpers.exe[1444] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\ctfmon.exe[1816] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\ctfmon.exe[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\ctfmon.exe[1816] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\ctfmon.exe[1816] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\ctfmon.exe[1816] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\ctfmon.exe[1816] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\ctfmon.exe[1816] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\ctfmon.exe[1816] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[1860] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[1920] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe[1936] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\RTHDCPL.EXE[1964] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\RTHDCPL.EXE[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\RTHDCPL.EXE[1964] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\RTHDCPL.EXE[1964] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\RTHDCPL.EXE[1964] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\RTHDCPL.EXE[1964] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\RTHDCPL.EXE[1964] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\RTHDCPL.EXE[1964] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe[2060] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\svchost.exe[2296] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\svchost.exe[2296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\svchost.exe[2296] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\svchost.exe[2296] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\svchost.exe[2296] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\svchost.exe[2296] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[2296] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[2296] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\wuauclt.exe[2700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\wuauclt.exe[2700] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\wuauclt.exe[2700] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\wuauclt.exe[2700] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\wuauclt.exe[2700] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\wuauclt.exe[2700] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\wuauclt.exe[2700] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 ? C:\WINDOWS\System32\svchost.exe[2868] image checksum mismatch; time/date stamp mismatch; .text C:\WINDOWS\System32\svchost.exe[2868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\System32\svchost.exe[2868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\System32\svchost.exe[2868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\System32\svchost.exe[2868] WS2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\System32\svchost.exe[2868] WS2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\System32\svchost.exe[2868] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\System32\svchost.exe[2868] WS2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\System32\svchost.exe[2868] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 ? C:\WINDOWS\System32\svchost.exe[2904] image checksum mismatch; time/date stamp mismatch; .text C:\WINDOWS\System32\svchost.exe[2904] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\System32\svchost.exe[2904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\System32\svchost.exe[2904] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\System32\svchost.exe[2904] WS2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\System32\svchost.exe[2904] WS2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\System32\svchost.exe[2904] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\System32\svchost.exe[2904] WS2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\System32\svchost.exe[2904] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\WINDOWS\system32\wscntfy.exe[3068] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\WINDOWS\system32\wscntfy.exe[3068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\WINDOWS\system32\wscntfy.exe[3068] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\WINDOWS\system32\wscntfy.exe[3068] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\WINDOWS\system32\wscntfy.exe[3068] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\WINDOWS\system32\wscntfy.exe[3068] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\wscntfy.exe[3068] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\wscntfy.exe[3068] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text c:\progra~1\common~1\instal~1\update~1\isuspm.exe[3088] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF0 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C38 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E74 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] ws2_32.dll!connect 71A54A07 5 Bytes JMP 10003AEC .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] ws2_32.dll!send 71A54C27 5 Bytes JMP 10003260 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 100027F4 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] ws2_32.dll!recv 71A5676F 5 Bytes JMP 10002788 .text C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe[3188] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 10003A98 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DC7ABB] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DC7852] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DCEAE7] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DEBCF3] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DCEFC8] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DC6C27] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [7C9100C4] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [7C80AC61] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [7C90FF2D] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [7C80236B] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [7C834D71] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [7C809BE7] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C810E27] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C832927] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C863C09] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C802213] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C809B12] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C8021D0] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C83973D] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C80BEA1] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C814B92] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C812B7E] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C90FE21] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C802530] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C802446] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C8106D7] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C801E1A] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C80DE95] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C863FCA] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [71A55355] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [71A52EAD] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [71A52E53] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [71A5676F] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [71A53E2B] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [71A54A07] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [71A54211] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [71A54C27] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [71A53FED] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [71A56A55] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C902645] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 4B28A8FF IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 00000002 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 00000056 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 00001284 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 00000684 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 00000020 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 00004E42 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 005C3A43 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 74737953 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 69426D65 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 6164736F IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 00006574 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 44524148 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 45524157 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 50495243 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 4E4F4954 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 7379535C IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 006D6574 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 65646956 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 6F69426F IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 74614473 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 00000065 IAT C:\WINDOWS\System32\svchost.exe[2868] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 6E656449 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DC7ABB] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DC7852] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DCEAE7] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DEBCF3] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DCEFC8] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DC6C27] C:\WINDOWS\system32\ADVAPI32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [7C9100C4] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [7C80AC61] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [7C90FF2D] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [7C80236B] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [7C834D71] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [7C809BE7] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C810E27] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C832927] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C863C09] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C802213] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C809B12] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C8021D0] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C83973D] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C80BEA1] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C814B92] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C812B7E] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C90FE21] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C802530] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C802446] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C8106D7] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C801E1A] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C80DE95] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C863FCA] C:\WINDOWS\system32\kernel32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [71A55355] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [71A52EAD] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [71A52E53] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [71A5676F] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [71A53E2B] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [71A54A07] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [71A54211] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [71A54C27] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [71A53FED] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [71A56A55] C:\WINDOWS\System32\WS2_32.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C902645] C:\WINDOWS\system32\ntdll.dll IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 4B28A8FF IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 00000002 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 00000056 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 00001284 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 00000684 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 00000020 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 00004E42 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 005C3A43 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 74737953 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 69426D65 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 6164736F IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 00006574 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 44524148 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 45524157 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 50495243 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 4E4F4954 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 7379535C IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 006D6574 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 65646956 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 6F69426F IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 74614473 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 00000065 IAT C:\WINDOWS\System32\svchost.exe[2904] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 6E656449 ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys AttachedDevice \FileSystem\Fastfat \Fat amon.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Taskman C:\RECYCLER\S-1-5-21-1075669394-9092640014-191519155-4240\nissan.exe(2010-10-12 09:38:50) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@12CFG214-K641-12SF-N85P C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe(2010-03-01 21:02:36) Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Shell C:\RECYCLER\S-1-5-21-1075669394-9092640014-191519155-4240\nissan.exe(2010-10-12 09:38:50) ---- EOF - GMER 2.1 ----