Trojan - Hook Load DLL Error - Hijack Log File help [RESOLVED]

Still looking for help on this topic. Thanks.

I did find another topic with this same problem but I doubt I can follow the remedy because each log file will be different.

Posting more than once in a thread can cause your topic to be overlooked as Helpers usually look for threads without any replies first.

Edited by Octagonal, 19 July 2008 - 02:57 AM.

Hi there,

Sorry for the delay...

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a separate reply.

&


Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Topic opened at starters request, please go ahead with the kaspersky scan, also post a new hijack this log as it has been a while.

Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:19 PM, on 8/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Windows\System32\mobsync.exe
C:\Users\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.batescomputers.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hplampc] C:\Windows\system32\hplampc.exe
O4 - HKLM\..\Run: [Laser mouse] "C:\Program Files\Laser Center\Laser Sensor Mouse\Panel.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5030 bytes
________________________________________________________________________________
____________________________

Kaspersky Online Scan File

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 21, 2008 02:05:01
Records in database: 1116230
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 115907
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:21:36


File name / Threat name / Threats count
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Owner\AppData\Local\Temp\IDC1.tmp\[1]popcaploader_v10[1].cab Infected: not-a-virus:Downloader.Win32.PopCap.b 1

The selected area was scanned.

Hi there

There is nothing bad from what I see now, could you describe what problems you are having?

• Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Then,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download OTScanIt.exe to your Desktop.
Double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close all other programs.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program
• (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• In the File created within section select 60 Days
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the file in your next post, do not try to copy/paste it into the post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

At the start up a Hook Load DLL error window pops up. A small box.

I have heard that could be a trojan. I do see that there is an infected file - not-a-virus:Downloader.Win32.PopCap

First its just irritating to see this error at boot up each time, and it worries me to think there maybe something malicious on my machine.

not-a-virus:Downloader.Win32.PopCap

Is what it says It's in your temporary files anyways which running ATF Cleaner will get rid of, post the scan results when you have them.

Edit: does this error point to a specific file?

Mike

Edited by Mike, 21 August 2008 - 07:06 AM.

ATF cleaner was one of the first things I did by following this site before I even posted. Doesnt remove the error.

The actual Error does not point to any specific location. Just a small box in the center of the screen that says Load DLL: Hook Load DLL Error with an OK button. I hit OK and it goes away. Not to return until reboot.

At the moment I am looking at the file that is infected that the kaspersky scan found [1]popcaploader_v10[1].cab

And I am sorry I dont see a ATF scan file that I can save as. I just used ATF again to be sure but I dont see an option to save. Within the ATF Cleaner utility there is a "Main" tab at the top - figured I could find a save as in there but the button is dead.


EDIT:

Ok I see you want me to run another scan. Be right back...

EDIT: Ok I ran the OTScan as administrator but the utility hangs during scanning TCPIP and becomes unresponsive "not responding" and I have to force quit the program.

I have tried it twice.

ALso, I have downloaded DSS.exe and a blank dos prompt appears with no instructions. Then windows vista comes up with a window that says NTVDM.EXE has stopped working - Windows will close the program.

Edited by lswallie, 21 August 2008 - 07:53 AM.

Ok after a third try I was able to complete the OTscan

I have it attached split into 2 files because it said the file was larger than the max upload size of 500k.

First part is here

Here is the second half of the OTSCAN

Hi there,

I think you misunderstood me. The 'trojan' kaspersky found is not a virus...

C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Owner\AppData\Local\Temp\IDC1.tmp\[1]popcaploader_v10[1].cab Infected: not-a-virus:Downloader.Win32.PopCap.b 1

When I said ATFCleaner will get rid of it, I wasn't referring to the DLL Hook error you were getting, but the above file since it is located in your temporary internet files folder.

As for your log, I do not see anything malicious, as in no viruses - but it does seem to me that you are having some tech problems.

Let's get rid of some odd bits in your log:

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Registry - Non-Microsoft Only]
< Drives - Autoruns > -> 
NY -> autorun.exe [MZ� | ] -> D:\autorun.exe [ CDFS ]
NY -> autorun.inf [[autorun] | OPEN=AUTORUN.EXE | ICON=AUTORUN.EXE,0 | ] -> D:\autorun.inf [ CDFS ]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 40 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> docsight.net .[https] -> Trusted sites
YN -> www_scuonline.com [https] -> Trusted sites
YN -> 41 domain(s) and sub-domain(s) not assigned to a zone. -> 
[Files/Folders - Modified Within 30 days]
NY -> 465 C:\Users\Owner\AppData\Local\Temp\*.tmp files -> C:\Users\Owner\AppData\Local\Temp\*.tmp
NY -> 465 C:\Users\Owner\AppData\Local\Temp\*.tmp files -> C:\Users\Owner\AppData\Local\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

We can do one more scan to rule out malware.


Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

OTS Fix txt file

Explorer killed successfully
[Registry - Non-Microsoft Only]
File move failed. D:\autorun.exe scheduled to be moved on reboot.
File move failed. D:\autorun.inf scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\docsight.net\\https deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scuonline.com\www\\https deleted successfully.
[Files/Folders - Modified Within 30 days]
C:\Users\Owner\AppData\Local\Temp\nsb314B.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\nscD580.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\nsjF12D.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\nsl41B3.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\nso4E06.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\nsx976B.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\nsx9F41.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\sv5nd.tmp folder deleted successfully.
C:\Users\Owner\AppData\Local\Temp\~nsu.tmp folder deleted successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08212008_154137

Files moved on Reboot...
File move failed. D:\autorun.exe scheduled to be moved on reboot.
File move failed. D:\autorun.inf scheduled to be moved on reboot.
C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Owner\AppData\Local\Mozilla\Firefox\Profiles\hgh0ijk3.default\XUL.mfl moved successfully.
_______________________________________________________________________________


GMER Scan Results

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-21 16:53:54
Windows 6.0.6001 Service Pack 1


---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74727BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [747698C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7472D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7471F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74727599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7471E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7475B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7472D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7472012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74720095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747171F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [747AD810] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [747475E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7471DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7471668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747166BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1600] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74721E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5a
c9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----