GMER 1.0.15.15077 [gamer.exe] - http://www.gmer.net Rootkit scan 2009-09-10 18:24:31 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- INT 0x62 ? 8A5D1BF8 INT 0x63 ? 8A345BF8 INT 0x73 ? 8A562BF8 INT 0x82 ? 8A5D1BF8 INT 0x83 ? 8A562BF8 INT 0xB4 ? 8A345BF8 Code 8A34C490 ZwEnumerateKey Code 8A34CF48 ZwFlushInstructionCache Code 8A347A0E ZwSaveKey Code 8A346DFE ZwSaveKeyEx Code 8A3465F6 IofCallDriver Code 8A189A26 IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 8A3465FB .text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 8A189A2B PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEF0 5 Bytes JMP 8A34CF4C PAGE ntkrnlpa.exe!ZwEnumerateKey 8061ABA0 5 Bytes JMP 8A34C494 PAGE ntkrnlpa.exe!ZwSaveKey 8061BE14 5 Bytes JMP 8A347A12 PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061BEFA 5 Bytes JMP 8A346E02 ? splg.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B74D78AC 5 Bytes JMP 8A3451D8 ? win32k.sys:1 The system cannot find the file specified. ! ? win32k.sys:2 The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[340] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\Explorer.EXE[340] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\Explorer.EXE[340] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\explorer.exe[376] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\explorer.exe[376] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\explorer.exe[376] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[668] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[668] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[668] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[668] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1220] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1220] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1220] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\System32\svchost.exe[1456] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\System32\svchost.exe[1456] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\System32\svchost.exe[1456] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1596] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1596] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\svchost.exe[1596] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3184] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3184] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\31006BB4.x86.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3184] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\31006BB4.x86.dll ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA8042] splg.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA813E] splg.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA80C0] splg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA8800] splg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA86D6] splg.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB7E9C] splg.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\Explorer.EXE[340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\Explorer.EXE[340] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\explorer.exe[376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\explorer.exe[376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\Program Files\ESET\ESET Smart Security\ekrn.exe[668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\Program Files\ESET\ESET Smart Security\ekrn.exe[668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\System32\svchost.exe[1456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\System32\svchost.exe[1456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\svchost.exe[1596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\spoolsv.exe[1884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\WINDOWS\system32\spoolsv.exe[1884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\Program Files\Mozilla Firefox\firefox.exe[3184] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\31006BB4.x86.dll IAT C:\Program Files\Mozilla Firefox\firefox.exe[3184] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\31006BB4.x86.dll ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A5611F8 AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\usbohci \Device\USBPDO-0 8A3051F8 Device \Driver\PCI_PNP2406 \Device\00000051 splg.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5631F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A5631F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A5631F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A5631F8 Device \Driver\usbehci \Device\USBPDO-1 8A2E81F8 Device \Driver\sptd \Device\488517406 splg.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5D21F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5D21F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5D21F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 8A5D21F8 Device \Driver\Ftdisk \Device\HarddiskVolume5 8A5D21F8 Device \Driver\nvata \Device\00000075 8A5621F8 Device \Driver\Ftdisk \Device\HarddiskVolume6 8A5D21F8 Device \Driver\nvata \Device\00000077 8A5621F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 88F9A500 Device \Driver\nvata \Device\00000078 8A5621F8 Device \Driver\NetBT \Device\NetbiosSmb 88F9A500 Device \Driver\NetBT \Device\NetBT_Tcpip_{0F61AF0A-72D1-4BE9-85A8-BCA27D059F22} 88F9A500 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\usbohci \Device\USBFDO-0 8A3051F8 Device \Driver\usbehci \Device\USBFDO-1 8A2E81F8 Device \Driver\nvata \Device\NvAta0 8A5621F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88F8C500 Device \Driver\nvata \Device\NvAta1 8A5621F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 88F8C500 Device \Driver\Ftdisk \Device\FtControl 8A5D21F8 Device \Driver\afs8gqad \Device\Scsi\afs8gqad1Port5Path0Target1Lun0 8A151500 Device \Driver\afs8gqad \Device\Scsi\afs8gqad1 8A151500 Device \Driver\afs8gqad \Device\Scsi\afs8gqad1Port5Path0Target0Lun0 8A151500 Device \FileSystem\Cdfs \Cdfs 88F8A500 ---- Threads - GMER 1.0.15 ---- Thread System [4:552] 88660790 ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\vsfoceymawktev.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [340] 0x10000000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [340] 0x35670000 Library \\?\globalroot\systemroot\system32\vsfoceymawktev.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [376] 0x10000000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [376] 0x35670000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET Smart Security\ekrn.exe [668] 0x35670000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1220] 0x35670000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1296] 0x35670000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1456] 0x35670000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1596] 0x35670000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1884] 0x35670000 Library \\?\globalroot\systemroot\system32\vsfoceymawktev.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3184] 0x01010000 Library \\?\globalroot\Device\__max++>\31006BB4.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3184] 0x35670000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\vsfocesauufyqr.sys (*** hidden *** ) [SYSTEM] vsfocentuamrah <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0xE8 0x73 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6F 0x51 0x84 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9E 0x4F 0x73 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x17 0xDA 0x11 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah@imagepath \systemroot\system32\drivers\vsfocesauufyqr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main@aid 10099 Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main@sid 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main@cmddelay 14400 Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main\injector@* vsfocewsp8.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocesauufyqr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules@vsfocecmd.dll \systemroot\system32\vsfocehsvngejl.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules@vsfocelog.dat \systemroot\system32\vsfocerwkuvjld.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules@vsfocewsp.dll \systemroot\system32\vsfocenybhiwsj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules@vsfoce.dat \systemroot\system32\vsfocepixnmwru.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocentuamrah\modules@vsfocewsp8.dll \systemroot\system32\vsfoceymawktev.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1B 0x44 0x14 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6F 0x51 0x84 0x03 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD0 0x27 0xFD 0x5E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x17 0xDA 0x11 0x64 ... Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah@group file system Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah@imagepath \systemroot\system32\drivers\vsfocesauufyqr.sys Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main@aid 10099 Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main@sid 3 Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main@cmddelay 14400 Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main\injector@* vsfocewsp8.dll Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocesauufyqr.sys Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules@vsfocecmd.dll \systemroot\system32\vsfocehsvngejl.dll Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules@vsfocelog.dat \systemroot\system32\vsfocerwkuvjld.dat Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules@vsfocewsp.dll \systemroot\system32\vsfocenybhiwsj.dll Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules@vsfoce.dat \systemroot\system32\vsfocepixnmwru.dat Reg HKLM\SYSTEM\ControlSet002\Services\vsfocentuamrah\modules@vsfocewsp8.dll \systemroot\system32\vsfoceymawktev.dll ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\A Handful Of Audiosurf Addons 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessories 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\ASIO4ALL v2 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Drum Machine 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\FoFiX 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Haali Media Splitter 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\House of Wonders Babies Come Home 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Image-Line 0 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Internet Explorer.lnk 803 bytes File C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\JFK Reloaded 0 bytes File C:\NVIDIA\nForceWin2KXP\IDE\Win2K\legacy\nvuide.exe (size mismatch) 19456/176128 bytes executable File C:\pebuilder3110a\BartPE\Drivers\06_Touchpad\WinWDF\x86\synhid.inf (size mismatch) 196608/9619 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Application Data 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Cookies 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Desktop 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Favorites 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Local Settings 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\My Documents 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\NetHood 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\NTUSER.DAT 262144 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\ntuser.dat.LOG 1024 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\ntuser.ini 178 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\PrintHood 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Recent 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\SendTo 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Start Menu 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\Templates 0 bytes File C:\pebuilder3110a\BartPE\I386\SYSTEM32\SPXCOINS.DLL (size mismatch) 20480/24661 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\SPXPORTS.DLL (size mismatch) 20480/659485 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\SUBST.EXE (size mismatch) 20480/9216 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\TASKMGR.EXE (size mismatch) 20480/135680 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\TFTP.EXE (size mismatch) 20480/16896 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\TIMEDATE.CPL (size mismatch) 20480/94208 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\TRACERT.EXE (size mismatch) 20480/12288 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\TRAFFIC.DLL (size mismatch) 20480/31232 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\TZCHANGE.EXE (size mismatch) 20480/60416 bytes executable File C:\pebuilder3110a\BartPE\I386\SYSTEM32\UFAT.DLL (size mismatch) 20480/82432 bytes executable File C:\pebuilder3110a\BartPE2\I386\SYSTEM32\WINHTTP.DLL (size mismatch) 102400/354304 bytes executable File C:\pebuilder3110a\BartPE2\I386\SYSTEM32\DRIVERS\DISKDUMP.SYS (size mismatch) 36352/14208 bytes executable File C:\pebuilder3110a\BartPE2\I386\SYSTEM32\MSVCIRT.DLL (size mismatch) 132608/57344 bytes executable File C:\Program Files\AGEIA Technologies\v2.5.0\PhysXCore.dll (size mismatch) 333088/2295072 bytes executable File C:\Program Files\Creative\WaveStudio 7\Pcm2Ext.ax (size mismatch) 10240/81920 bytes executable File C:\Program Files\DAEMON Tools Lite\Lang\JPN.dll (size mismatch) 95232/52736 bytes executable File C:\Program Files\Nero\Nero 9\Nero Burning ROM\NScCoreComponents\NMSearchPluginFileSystem.dll (size mismatch) 393216/147456 bytes executable File C:\Program Files\Nero\Nero 9\Nero SoundTrax\AudioPluginMgr\APM_mp3pro.dll (size mismatch) 144680/595240 bytes executable File C:\Program Files\Nero\Nero 9\Nero SoundTrax\NeroAPIFiles\uVMpegEnc.dll (size mismatch) 521512/193832 bytes executable File C:\Program Files\Nero\Nero 9\Nero StartSmart\SMC\NePhotoSource.ax (size mismatch) 1471784/619816 bytes executable File C:\Program Files\Nero\Nero 9\Nero Vision\Nero.BDThumbnail\Nero.BDThumbnail.manifest (size mismatch) 159744/1170 bytes executable File C:\Program Files\Nero\Nero 9\Nero Vision\VCDDoc.dll (size mismatch) 1848616/111400 bytes executable File C:\Program Files\Nero\Nero MediaHome 4\NScCoreComponents\NMLogCxx.dll (size mismatch) 3301376/69632 bytes executable File C:\Program Files\Nero\Nero MediaHome 4\SMC\NeAudio2.ax (size mismatch) 107816/1340720 bytes executable File C:\Program Files\Nero\Nero MediaHome 4\UIEngine\NMUIStreaming.dll (size mismatch) 1146880/421888 bytes executable ---- EOF - GMER 1.0.15 ----