Win32TrojanTdss infection

.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DC000A
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DD000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CA000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CB000A
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B6000A
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B7000A
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
? C:\WINDOWS\services.exe[3536] number of sections mismatch; unknown module: dnsapi.dll
.rsrs C:\WINDOWS\services.exe[3536] C:\WINDOWS\services.exe entry point in ".rsrs" section [0x0041BC6C]
.rsrs C:\WINDOWS\services.exe[3536] C:\WINDOWS\services.exe unknown last section [0x00404000, 0x18000, 0xE0000040]
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\services.exe[3536] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A5000A
.text C:\WINDOWS\services.exe[3536] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A6000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A4000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A8000A
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BD000A
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BE000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A8000A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.rsrc C:\WINDOWS\System32\svchost.exe[3796] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[3796] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DB000A
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DC000A
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B1000A
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B2000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.rsrc C:\WINDOWS\system32\svchost.exe[5532] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[5532] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\Iexplore.exe[2444] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!GetProcAddress] 307825FF
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!LoadLibraryA] 25FF0040
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!GetVersion] [00403074] C:\WINDOWS\services.exe
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!GetCommandLineA] CCCCCCCC
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!FreeLibrary] 308025FF
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetMessageA] [00403084] C:\WINDOWS\services.exe
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!BeginPaint] 308825FF
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetFocus] 00000040
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!EndPaint] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!DispatchMessageA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!DefWindowProcA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetSysColor] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!SetFocus] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!ScreenToClient] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!LoadIconA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!ShowWindow] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!SetWindowTextA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!DestroyWindow] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!CreateWindowExA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetClientRect] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!wcschr] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_controlfp] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__p__commode] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_acmdln] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!memmove] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!wcslen] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_XcptFilter] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!toupper] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_exit] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__setusermatherr] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__CxxFrameHandler] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__getmainargs] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!rand] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__set_app_type] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!CreateFontIndirectA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!SetBkMode] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!SelectObject] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!GetTextMetricsA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!LineTo] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!SetPixel] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!GetTextColor] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!GetTextExtentPoint32A] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!PatBlt] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!DeleteObject] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!CreateCompatibleDC] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!ExtTextOutA] 00000000
IAT C:\Program Files\Internet Explorer\iexplore.exe[4976] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACismsairfdm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1200] 0x00DC0000
Library \\?\globalroot\systemroot\system32\UACkfmqrdycpa.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1200] 0x02FD0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACbypdriymbf.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

--- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Wow! That was some log!

Hope that's what you wanted.

Cricketboy

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
UACd.sys

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACbypdriymbf.sys
C:\WINDOWS\system32\UACismsairfdm.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hi

I think the computer is terminally ill now. I'm posting from another.

It keeps shutting down spontaneously and restarting. I've not had it stable enough in the last 24hrs to follow your last instruction. It doesn't even seem to want to start in safe mode.

I guess it's a case of reformatting. I have a restore disk from the manufacturer (although they are out of business now).

I've got stuff backed up on an extrernal hard disk. Is there a good way of discovering whether that has got infected? What do I do if it has?

You've been very helpful. Have you any other advice?

Cricketboy

The external is fine, this rootkit doesn't spread via USB.

Hi

Thanks, Belazhur for your help.

I just hope I can get the reformat to work OK.


Cricketboy

Instructions how to format and reinstall Windows can be found Here