GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-15 04:52:33 Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD1200JB-00EVA0 rev.15.05R15 Running: 34bzfy86.exe; Driver: C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\fgtdrpow.sys ---- System - GMER 1.0.15 ---- INT 0x62 ? 86F97CC8 INT 0x63 ? 86F59CC8 INT 0x73 ? 86F59CC8 INT 0x82 ? 86F97CC8 INT 0xB4 ? 86F59CC8 ---- Kernel code sections - GMER 1.0.15 ---- ? sltw.sys The system cannot find the file specified. ! .text sptd.sys F74FC000 32 Bytes [5C, 47, 6F, 80, 20, F7, 6E, ...] .text sptd.sys F74FC024 4 Bytes [0E, EE, 4E, F7] .text sptd.sys F74FC02C 40 Bytes [5A, 46, 57, 80, D0, DA, 59, ...] .text sptd.sys F74FC055 383 Bytes [40, 5B, 80, 09, 98, 50, 80, ...] .text sptd.sys F74FC1E4 4 Bytes [79, 62, 73, 4C] {JNS 0x64; JAE 0x50} .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF75F3D38] ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text USBPORT.SYS!DllUnload F6A2D80C 5 Bytes JMP 86F591D8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5E4A380, 0x566445, 0xE8000020] ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. ! ? C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_amBX_USB_HAL.exe[164] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_amBX_USB_HAL.exe[164] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_amBX_USB_HAL.exe[164] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_amBX_USB_HAL.exe[164] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_amBX_USB_HAL.exe[164] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_amBX_USB_HAL.exe[164] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_HAL_Starter.exe[224] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_HAL_Starter.exe[224] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_HAL_Starter.exe[224] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_HAL_Starter.exe[224] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_HAL_Starter.exe[224] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\amBX\Device Drivers\Philips USB\Philips_HAL_Starter.exe[224] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[300] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[300] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[300] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[300] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[308] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[308] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[308] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\NOTEPAD.EXE[324] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\NOTEPAD.EXE[324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\NOTEPAD.EXE[324] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\NOTEPAD.EXE[324] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\NOTEPAD.EXE[324] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\NOTEPAD.EXE[324] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[684] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[684] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[684] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[684] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\UPHClean\uphclean.exe[724] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\UPHClean\uphclean.exe[724] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\UPHClean\uphclean.exe[724] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\UPHClean\uphclean.exe[724] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\UPHClean\uphclean.exe[724] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\UPHClean\uphclean.exe[724] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\spoolsv.exe[884] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\spoolsv.exe[884] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\spoolsv.exe[884] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\spoolsv.exe[884] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\spoolsv.exe[884] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\spoolsv.exe[884] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF9666E .text C:\WINDOWS\system32\nvsvc32.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\nvsvc32.exe[1232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\nvsvc32.exe[1232] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\nvsvc32.exe[1232] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\nvsvc32.exe[1232] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\nvsvc32.exe[1232] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1256] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1256] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1256] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1380] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1380] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1380] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\System32\svchost.exe[1420] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\System32\svchost.exe[1420] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\System32\svchost.exe[1420] C:\WINDOWS\System32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1456] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1456] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1456] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1456] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\ZuneBusEnum.exe[1556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\ZuneBusEnum.exe[1556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\ZuneBusEnum.exe[1556] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\ZuneBusEnum.exe[1556] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\ZuneBusEnum.exe[1556] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\ZuneBusEnum.exe[1556] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1640] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1640] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1640] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .reloc C:\WINDOWS\Explorer.EXE[1776] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0xA800, 0xE0000060] .reloc C:\WINDOWS\Explorer.EXE[1776] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x011051B8] nfijtus C:\WINDOWS\Explorer.EXE[1776] C:\WINDOWS\Explorer.EXE unknown last section [0x01106000, 0x1000, 0xC0000000] .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1792] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1792] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1792] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1792] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1804] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1804] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1804] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\amBX\System\amBX_Service.exe[1852] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\amBX\System\amBX_Service.exe[1852] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\amBX\System\amBX_Service.exe[1852] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\amBX\System\amBX_Service.exe[1852] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\amBX\System\amBX_Service.exe[1852] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\amBX\System\amBX_Service.exe[1852] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Java\jre6\bin\jqs.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Java\jre6\bin\jqs.exe[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Java\jre6\bin\jqs.exe[1856] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Java\jre6\bin\jqs.exe[1856] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Java\jre6\bin\jqs.exe[1856] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Java\jre6\bin\jqs.exe[1856] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1880] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1880] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BFAA] jqmklns C:\WINDOWS\system32\svchost.exe[1880] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\CTsvcCDA.EXE[1952] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\CTsvcCDA.EXE[1952] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\CTsvcCDA.EXE[1952] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\CTsvcCDA.EXE[1952] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\CTsvcCDA.EXE[1952] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\CTsvcCDA.EXE[1952] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 00A724B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A72480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A724E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 00A72500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2100] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 00A72520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 100024B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10002480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 100024E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 10002500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2116] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 10002520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\Rundll32.exe[2120] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\Rundll32.exe[2120] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\Rundll32.exe[2120] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\Rundll32.exe[2120] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\Rundll32.exe[2120] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\Rundll32.exe[2120] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2140] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2140] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2140] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2140] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2140] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2140] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\Philips\SPC230NC\Monitor.exe[2156] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Philips\SPC230NC\Monitor.exe[2156] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Philips\SPC230NC\Monitor.exe[2156] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Philips\SPC230NC\Monitor.exe[2156] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Philips\SPC230NC\Monitor.exe[2156] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Philips\SPC230NC\Monitor.exe[2156] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 009324B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00932480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009324E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 00932500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[2192] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 00932520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Zune\ZuneLauncher.exe[2208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Zune\ZuneLauncher.exe[2208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Zune\ZuneLauncher.exe[2208] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Zune\ZuneLauncher.exe[2208] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Zune\ZuneLauncher.exe[2208] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Zune\ZuneLauncher.exe[2208] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\amBX\Gaming FXGen\win32\amBXFxGen.exe[2260] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\amBX\Gaming FXGen\win32\amBXFxGen.exe[2260] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\amBX\Gaming FXGen\win32\amBXFxGen.exe[2260] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\amBX\Gaming FXGen\win32\amBXFxGen.exe[2260] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\amBX\Gaming FXGen\win32\amBXFxGen.exe[2260] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\amBX\Gaming FXGen\win32\amBXFxGen.exe[2260] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 009D24B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D2480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D24E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 009D2500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\RUNDLL32.EXE[2312] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 009D2520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 011124B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01112480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011124E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 01112500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 01112520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[2400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\ctfmon.exe[2400] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\ctfmon.exe[2400] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\ctfmon.exe[2400] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\ctfmon.exe[2400] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\ctfmon.exe[2400] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\ctfmon.exe[2400] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 100024B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[2400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10002480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[2400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 100024E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[2400] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 10002500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[2400] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 10002520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 100024B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10002480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 100024E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 10002500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Documents and Settings\JERKFACE MCMONSTER\My Documents\Downloads\34bzfy86.exe[2604] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 10002520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\Program Files\amBX\Effects\amBX Event Manager.exe[2696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\amBX\Effects\amBX Event Manager.exe[2696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\amBX\Effects\amBX Event Manager.exe[2696] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\amBX\Effects\amBX Event Manager.exe[2696] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\amBX\Effects\amBX Event Manager.exe[2696] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\amBX\Effects\amBX Event Manager.exe[2696] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Mozilla Firefox\firefox.exe[3208] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 100024B0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10002480 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 100024E0 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] kernel32.dll!LoadLibraryW 7C80AE9B 5 Bytes JMP 10002500 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\DOCUME~1\JERKFA~1\LOCALS~1\Temp\Temporary Directory 1 for aswMBR.zip\aswMBR.exe[3316] kernel32.dll!ExitProcess 7C81CAC2 5 Bytes JMP 10002520 C:\Program Files\amBX\Gaming FXGen\win32\LoadLibInterceptor.dll (amBX LoadLibInterceptor Dynamic Link Library/amBX UK Ltd.) .text C:\WINDOWS\TEMP\qtfcyyp.exe[3400] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\TEMP\qtfcyyp.exe[3400] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\TEMP\qtfcyyp.exe[3400] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\TEMP\qtfcyyp.exe[3400] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\TEMP\qtfcyyp.exe[3400] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\TEMP\qtfcyyp.exe[3400] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86FDC308 IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F74FD574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F74FD0C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F74FDFE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74FD0C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74FD362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74FD2A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74FE1BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74FDFE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F59308 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7512312] sptd.sys IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F3A503C4] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol] [F3A72672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisOpenAdapter] [F3A724C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol] [F3A70C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisCloseAdapter] [F3A72CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F3A6941C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F3A692AA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F3A6960C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F3A68D40] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A525E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54CF0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54890] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54850] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C883F8D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateThread] [7C883F9C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C883F8D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!CreateThread] [7C883F9C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleA] [7C883F92] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleW] [7C883F97] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2012] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C883F8D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54CF0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54890] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54850] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C290] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2320] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A525E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 86F961F8 Device \FileSystem\Fastfat \FatCdrom 84EE71F8 Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbohci \Device\USBPDO-0 86D171F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{13691F4E-3BF6-4419-8AD5-D3E2201AFD0B} 863EA1F8 Device \Driver\usbohci \Device\USBPDO-1 86D171F8 Device \Driver\usbehci \Device\USBPDO-2 86D161F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{D9A924CB-1379-41F2-852C-B53899D65B72} 863EA1F8 Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Cdrom \Device\CdRom0 86D101F8 Device \Driver\atapi \Device\Ide\IdePort0 86F971F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86F971F8 Device \Driver\atapi \Device\Ide\IdePort1 86F971F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86F971F8 Device \Driver\Cdrom \Device\CdRom1 86D101F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 863EA1F8 Device \Driver\USBSTOR \Device\00000079 850A21F8 Device \Driver\NetBT \Device\NetbiosSmb 863EA1F8 Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbohci \Device\USBFDO-0 86D171F8 Device \Driver\USBSTOR \Device\0000007a 850A21F8 Device \Driver\usbohci \Device\USBFDO-1 86D171F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8619B1F8 Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbehci \Device\USBFDO-2 86D161F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8619B1F8 Device \Driver\VClone \Device\Scsi\VClone1 86FD81F8 Device \Driver\VClone \Device\Scsi\VClone1Port0Path0Target0Lun0 86FD81F8 Device \FileSystem\Fastfat \Fat 84EE71F8 Device \FileSystem\Cdfs \Cdfs 86C31430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9402bb02 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9402bb02@0019a1e1f037 0xD4 0x21 0x12 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB5 0x13 0xA4 0x7E ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a9402bb02 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a9402bb02@0019a1e1f037 0xD4 0x21 0x12 0x0B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB5 0x13 0xA4 0x7E ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 MBR read error Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0 ---- Files - GMER 1.0.15 ---- ADS C:\WINDOWS\system32\ùÓ:†´Ë0¸ÚyV€xKaâH¦aâ€9ü† 37376 bytes executable ---- EOF - GMER 1.0.15 ----