0

Try running GMER again and when it shows these files:

C:\WINDOWS\system32\drivers\qkmazwv.sys
C:\WINDOWS\system32\drivers\str.sys

right click on them one at a time and select delete. If it will not delete, use the kill option first.

If successful, run Gmer again and post the log.

0

ok heres the log i found C:\WINDOWS\system32\drivers\str.sys. but i couldint find C:\WINDOWS\system32\drivers\qkmazwv.sys and the were two entries marked red i didnt delete them thay were Service C:\WINDOWS\system32\drivers\nmxco.sys (*** hidden *** ) and
File C:\WINDOWS\system32\drivers\nmxco.sys any way heres the log


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 10:17:20
Windows 5.1.2600 Service Pack 2
Running: hate.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axtdypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 885 804DED5A 4 Bytes CALL F27AE145 00000A09
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73EE380]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF68B3B8D]
? 00000A09 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF948D7
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF94966
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF94973
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF94BF7
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9495C
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF949B4
.rsrc C:\WINDOWS\system32\svchost.exe[864] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[864] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[940] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[940] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\System32\svchost.exe[1016] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1016] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.reloc C:\WINDOWS\Explorer.exe[1284] C:\WINDOWS\Explorer.exe section is executable [0x010FB000, 0x8800, 0xE0000040]
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\System32\svchost.exe[1412] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1412] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1440] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1440] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\System32\svchost.exe[1576] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1576] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1992] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1992] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\sgkimusefeb \Device\{9DD6AFA1-8646-4720-836B-EDCB1085864A} 00000A09

---- Threads - GMER 1.0.15 ----

Thread System [4:2420] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 System [4.2420] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 System [4.2420] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 System [4.2420] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 System [4.2420] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 System [4.2420] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 System [4.2420] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 System [4.2420] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 System [4.2420] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 System [4.2420] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 System [4.2420] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 System [4.2420] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 System [4.2420] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 System [4.2420] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 System [4.2420] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 System [4.2420] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [140:144] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 RaUI.exe [140.144] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 RaUI.exe [140.144] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 RaUI.exe [140.144] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 RaUI.exe [140.144] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 RaUI.exe [140.144] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 RaUI.exe [140.144] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 RaUI.exe [140.144] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 RaUI.exe [140.144] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 RaUI.exe [140.144] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 RaUI.exe [140.144] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 RaUI.exe [140.144] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 RaUI.exe [140.144] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 RaUI.exe [140.144] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 RaUI.exe [140.144] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 RaUI.exe [140.144] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [140:216] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 RaUI.exe [140.216] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 RaUI.exe [140.216] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 RaUI.exe [140.216] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 RaUI.exe [140.216] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 RaUI.exe [140.216] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 RaUI.exe [140.216] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 RaUI.exe [140.216] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 RaUI.exe [140.216] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 RaUI.exe [140.216] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 RaUI.exe [140.216] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 RaUI.exe [140.216] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 RaUI.exe [140.216] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 RaUI.exe [140.216] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 RaUI.exe [140.216] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 RaUI.exe [140.216] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:388] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.388] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:472] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.472] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:480] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.480] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:492] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.492] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:496] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.496] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:504] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.504] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:508] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.508] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:512] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.512] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:536] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.536] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:540] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.540] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:544] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.544] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:548] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.548] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:2220] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.2220] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:2312] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.2312] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:2460] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.2460] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:3720] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.3720] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:4060] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.4060] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [640:648] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 csrss.exe [640.648] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 csrss.exe [640.648] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 csrss.exe [640.648] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 csrss.exe [640.648] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 csrss.exe [640.648] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 csrss.exe [640.648] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 csrss.exe [640.648] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 csrss.exe [640.648] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 csrss.exe [640.648] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 csrss.exe [640.648] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 csrss.exe [640.648] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 csrss.exe [640.648] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 csrss.exe [640.648] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 csrss.exe [640.648] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 csrss.exe [640.648] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [640:160] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 csrss.exe [640.160] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 csrss.exe [640.160] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 csrss.exe [640.160] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 csrss.exe [640.160] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 csrss.exe [640.160] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 csrss.exe [640.160] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 csrss.exe [640.160] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 csrss.exe [640.160] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 csrss.exe [640.160] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 csrss.exe [640.160] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 csrss.exe [640.160] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 csrss.exe [640.160] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 csrss.exe [640.160] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 csrss.exe [640.160] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 csrss.exe [640.160] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [640:1064] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 csrss.exe [640.1064] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 csrss.exe [640.1064] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 csrss.exe [640.1064] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 csrss.exe [640.1064] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 csrss.exe [640.1064] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 csrss.exe [640.1064] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 csrss.exe [640.1064] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 csrss.exe [640.1064] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 csrss.exe [640.1064] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 csrss.exe [640.1064] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 csrss.exe [640.1064] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 csrss.exe [640.1064] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 csrss.exe [640.1064] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 csrss.exe [640.1064] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 csrss.exe [640.1064] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread winlogon.exe [664:1880] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 winlogon.exe [664.1880] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 winlogon.exe [664.1880] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 winlogon.exe [664.1880] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 winlogon.exe [664.1880] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 winlogon.exe [664.1880] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 winlogon.exe [664.1880] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 winlogon.exe [664.1880] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 winlogon.exe [664.1880] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09

0

ok heres the log i found C:\WINDOWS\system32\drivers\str.sys. but i couldint find C:\WINDOWS\system32\drivers\qkmazwv.sys and the were two entries marked red i didnt delete them thay were Service C:\WINDOWS\system32\drivers\nmxco.sys (*** hidden *** ) and
File C:\WINDOWS\system32\drivers\nmxco.sys any way heres the log


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 10:17:20
Windows 5.1.2600 Service Pack 2
Running: hate.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axtdypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 885 804DED5A 4 Bytes CALL F27AE145 00000A09
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73EE380]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF68B3B8D]
? 00000A09 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\RALINK\Common\RaUI.exe[140] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[384] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF948D7
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF94966
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF94973
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF94BF7
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9495C
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF949B4
.rsrc C:\WINDOWS\system32\svchost.exe[864] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[864] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[940] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[940] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\System32\svchost.exe[1016] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1016] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1084] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1084] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1244] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.reloc C:\WINDOWS\Explorer.exe[1284] C:\WINDOWS\Explorer.exe section is executable [0x010FB000, 0x8800, 0xE0000040]
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\Explorer.exe[1284] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\spoolsv.exe[1308] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Documents and Settings\Owner\Desktop\hate.exe[1364] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\System32\svchost.exe[1412] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1412] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\System32\svchost.exe[1412] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1428] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1440] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1440] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\FastNetSrv.exe[1492] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\System32\svchost.exe[1576] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1576] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\System32\svchost.exe[1576] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe[1688] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Internet Explorer\iexplore.exe[1720] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\nvsvc32.exe[1732] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1860] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\TVersity\Media Server\MediaServer.exe[1952] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.rsrc C:\WINDOWS\system32\svchost.exe[1992] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1992] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005733]
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\DNA\btdna.exe[2028] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2036] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe[2044] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA48D7
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA4966
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA4973
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4BF7
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA495C
.text C:\WINDOWS\system32\NOTEPAD.EXE[4076] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA49B4

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\sgkimusefeb \Device\{9DD6AFA1-8646-4720-836B-EDCB1085864A} 00000A09

---- Threads - GMER 1.0.15 ----

Thread System [4:2420] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 System [4.2420] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 System [4.2420] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 System [4.2420] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 System [4.2420] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 System [4.2420] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 System [4.2420] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 System [4.2420] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 System [4.2420] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 System [4.2420] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 System [4.2420] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 System [4.2420] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 System [4.2420] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 System [4.2420] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 System [4.2420] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 System [4.2420] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [140:144] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 RaUI.exe [140.144] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 RaUI.exe [140.144] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 RaUI.exe [140.144] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 RaUI.exe [140.144] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 RaUI.exe [140.144] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 RaUI.exe [140.144] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 RaUI.exe [140.144] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 RaUI.exe [140.144] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 RaUI.exe [140.144] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 RaUI.exe [140.144] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 RaUI.exe [140.144] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 RaUI.exe [140.144] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 RaUI.exe [140.144] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 RaUI.exe [140.144] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 RaUI.exe [140.144] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [140:216] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 RaUI.exe [140.216] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 RaUI.exe [140.216] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 RaUI.exe [140.216] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 RaUI.exe [140.216] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 RaUI.exe [140.216] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 RaUI.exe [140.216] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 RaUI.exe [140.216] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 RaUI.exe [140.216] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 RaUI.exe [140.216] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 RaUI.exe [140.216] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 RaUI.exe [140.216] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 RaUI.exe [140.216] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 RaUI.exe [140.216] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 RaUI.exe [140.216] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 RaUI.exe [140.216] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:388] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.388] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.388] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:472] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.472] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.472] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:480] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.480] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.480] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:492] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.492] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.492] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:496] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.496] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.496] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:504] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.504] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.504] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:508] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.508] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.508] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:512] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.512] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.512] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:536] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.536] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.536] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:540] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.540] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.540] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:544] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.544] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.544] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:548] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.548] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.548] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:2220] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.2220] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.2220] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:2312] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.2312] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.2312] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:2460] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.2460] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.2460] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:3720] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.3720] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.3720] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [384:4060] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 wmpnetwk.exe [384.4060] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 wmpnetwk.exe [384.4060] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [640:648] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 csrss.exe [640.648] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 csrss.exe [640.648] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 csrss.exe [640.648] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 csrss.exe [640.648] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 csrss.exe [640.648] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 csrss.exe [640.648] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 csrss.exe [640.648] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 csrss.exe [640.648] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 csrss.exe [640.648] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 csrss.exe [640.648] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 csrss.exe [640.648] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 csrss.exe [640.648] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 csrss.exe [640.648] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 csrss.exe [640.648] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 csrss.exe [640.648] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [640:160] SSDT 0x84DDE228 != 0x804E2D20

SSDT 00000A09 csrss.exe [640.160] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 csrss.exe [640.160] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 csrss.exe [640.160] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 csrss.exe [640.160] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 csrss.exe [640.160] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 csrss.exe [640.160] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 csrss.exe [640.160] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 csrss.exe [640.160] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 csrss.exe [640.160] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 csrss.exe [640.160] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 csrss.exe [640.160] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 csrss.exe [640.160] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 csrss.exe [640.160] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 csrss.exe [640.160] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 csrss.exe [640.160] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [640:1064] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 csrss.exe [640.1064] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 csrss.exe [640.1064] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 csrss.exe [640.1064] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 csrss.exe [640.1064] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 csrss.exe [640.1064] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 csrss.exe [640.1064] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 csrss.exe [640.1064] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 csrss.exe [640.1064] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09 csrss.exe [640.1064] ZwQuerySystemInformation [0xF27ACD73]
SSDT 00000A09 csrss.exe [640.1064] ZwReadVirtualMemory [0xF27AD60F]
SSDT 00000A09 csrss.exe [640.1064] ZwSetContextThread [0xF27AD0AC]
SSDT 00000A09 csrss.exe [640.1064] ZwSetValueKey [0xF27AD413]
SSDT 00000A09 csrss.exe [640.1064] ZwSuspendThread [0xF27AD049]
SSDT 00000A09 csrss.exe [640.1064] ZwTerminateThread [0xF27ACFE6]
SSDT 00000A09 csrss.exe [640.1064] ZwWriteVirtualMemory [0xF27AD675]

---- Threads - GMER 1.0.15 ----

Thread winlogon.exe [664:1880] SSDT 0x84CAD880 != 0x804E2D20

SSDT 00000A09 winlogon.exe [664.1880] ZwDeleteValueKey [0xF27AD517]
SSDT 00000A09 winlogon.exe [664.1880] ZwEnumerateKey [0xF27AD1C7]
SSDT 00000A09 winlogon.exe [664.1880] ZwEnumerateValueKey [0xF27AD2D3]
SSDT 00000A09 winlogon.exe [664.1880] ZwOpenKey [0xF27AD10F]
SSDT 00000A09 winlogon.exe [664.1880] ZwOpenProcess [0xF27ACE79]
SSDT 00000A09 winlogon.exe [664.1880] ZwOpenThread [0xF27ACF01]
SSDT 00000A09 winlogon.exe [664.1880] ZwProtectVirtualMemory [0xF27AD6DB]
SSDT 00000A09 winlogon.exe [664.1880] ZwQueryDirectoryFile [0xF27ACCA0]
SSDT 00000A09

0

two entries marked red i didnt delete them thay were Service C:\WINDOWS\system32\drivers\nmxco.sys (*** hidden *** ) and
File C:\WINDOWS\system32\drivers\nmxco.sys

Did you notice that GMER said 79744 bytes executable <-- ROOTKIT !!![/B] next to the entry...you need to run GMER again and no matter the name of the file if it is noted as ROOTKIT then DELETE it. This is why you cannot get the computer clean, there is a rootkit on there, it is renaming itself to avoid being caught.
By the way, I see SpywareTerminator listed in this log, when did you install that?

0

i installed spyware terminater a few days ago and i'm going uninstall it. thats the most useless program i've used since i've installed ashampoo firewall, oh and i just deleted those entries and i'm run gmer again and report back here but i hope it's not like mba-m and say infections are deleted but when you rerun the program the infections are right back there

0

i installed spyware terminater a few days ago and i'm going uninstall it. thats the most useless program i've used since i've installed ashampoo firewall, oh and i just deleted those entries and i'm run gmer again and report back here but i hope it's not like mba-m and say infections are deleted but when you rerun the program the infections are right back there

Ok, two things I want to say #1.if you want us to help you clean your machine then you have to follow the steps we give, installing SpywareTerminator would never have been one of them and a "go ahead" to install programs without checking here first also would not be something we would say to do. This can really cause major problems when working on a fix, some programs interfere with others and if we happen to give you a program to run, without you saying you installed something else then major damage can be done.
#2. The reason the infection keeps coming back has absolutely NOTHING to do with MBA-M. If IS removing it BUT what this is is a Rootkit, a very difficult infection to remove because part of what it does is not allow programs like MBA-M and others to complete their job or do it completely. This is why special tools must be used to try to remove it. SpywareTerminator isn't one of them.

0

sorry i didn't know wont happen again, but i reran gmer and i had no red entries but one entries was marked as suspicious do i delete it

0

sorry i didn't know wont happen again, but i reran gmer and i had no red entries but one entries was marked as suspicious do i delete it

I don't know what was the suspicious entry? Was it this same one showing from your previous logs?

C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

You might upload it to http://virusscan.jotti.org/en and see what all those scanners say about it.
When you go to the jotti page put the full listing into the window like this C:\WINDOWS\system32\drivers\atapi.sys
and then have the scans run. This should show a report on what all those different scanners say it is.
Report back on what they say then we can go from there.

0

cant do it i gotta work on a different PC then my infected one. i thought i could copy and paste the name and thay would check it against their databases not upload the file. you see my infected PC freezes or go blue screen on me when i connect to the web so i just figured i would just cut it off from the internet until my problem is solved

0

No the actual file, not the name has to be uploaded to their scanners. This IS a legitimate file but GMER has flagged it because it has been altered, probably by the rootkit.
I would like you to try now to run combofix again. Delete the one on the desktop and install a new one using your flash drive. I will keep my fingers crossed that it will run this time. If it will it may also fix that flagged file.
The log should be located at C:\Combofix.txt when it is complete. Post the log back here.
Judy

0

nope nothing is better it just wont go away and when i connect to the internet my computer slows wayyyyyy down or feezes i hate this

0

nope nothing is better it just wont go away and when i connect to the internet my computer slows wayyyyyy down or feezes i hate this

Are you able to download the attached FindWPP.zip and Extract the FindWPP Folder from the ZIP and place it on your ill computer?

If so, do that and then open the FindWPP Folder and run RunThis.bat (DoubleClick it).

Let it run for as long as it needs. A log will pop up - please post it for me.

PP:)

Edited by PhilliePhan: removed used attachment

0

can you explain how a program can just block me from the internet and how to unblock it i think i would have a better chance of success if i could run more then potentially out dated malware and spyware

0

can you explain how a program can just block me from the internet and how to unblock it i think i would have a better chance of success if i could run more then potentially out dated malware and spyware

There are a number of different ways malware accomplishes this. Lately, modifications to legit files along with some rootkitted components seems to be the method of choice.

In your case, atapi.sys has been modified. We will need to address that as well as some other changes in order to allow combofix and MBAM to run.

I do not have a lot of time, but I'll try to get you guys back on track - these issues can sometimes be a bear. Sometimes they do not end well - If you are able, I suggest backing up important data (pictures / music / work product) if you have not done so already.

PP:)

0

PhilliePhan to the rescue!!!!

LOL!
I was trying to reply the other day, but I couldn't access the thread - got some sort of phpbb error (I think) . . .

PP:)

0

heres the log

Microsoft Windows XP [Version 5.1.2600]
Sun 11/29/2009
05:34 PM

FindWPP is running from C:\Documents and Settings\Owner\Desktop\FindWPP

RUNNING PROCESSES

PROCESS PID PRIO PATH
smss.exe 576 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 640 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 664 High C:\WINDOWS\system32\winlogon.exe
services.exe 708 Normal C:\WINDOWS\system32\services.exe
lsass.exe 720 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 860 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 944 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 980 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1108 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1252 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 1272 Normal C:\WINDOWS\Explorer.EXE
spoolsv.exe 1356 Normal C:\WINDOWS\system32\spoolsv.exe
AOLacsd.exe 1456 Normal C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
svchost.exe 1504 Normal C:\WINDOWS\System32\svchost.exe
Msssrv.exe 1612 Normal C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
svchost.exe 1652 Normal C:\WINDOWS\svchost.exe
iexplore.exe 1764 Normal C:\Program Files\Internet Explorer\iexplore.exe
msmsgs.exe 1788 Normal C:\Program Files\Messenger\msmsgs.exe
btdna.exe 1796 Normal C:\Program Files\DNA\btdna.exe
WMPNSCFG.exe 1804 Normal C:\Program Files\Windows Media Player\WMPNSCFG.exe
RaUI.exe 1820 Normal C:\Program Files\RALINK\Common\RaUI.exe
svchust.exe 1880 Normal C:\WINDOWS\svchust.exe
nvsvc32.exe 208 Normal C:\WINDOWS\system32\nvsvc32.exe
MediaServer.exe 340 Normal C:\Program Files\TVersity\Media Server\MediaServer.exe
WMPNetwk.exe 448 Normal C:\Program Files\Windows Media Player\WMPNetwk.exe
CToolbar.exe 812 Normal C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
wmiprvse.exe 2112 Normal C:\WINDOWS\system32\wbem\wmiprvse.exe
alg.exe 2176 Normal C:\WINDOWS\System32\alg.exe
cmd.exe 236 Normal C:\WINDOWS\system32\cmd.exe
pv.exe 1952 Normal C:\Documents and Settings\Owner\Desktop\FindWPP\pv.exe

SERVICES RUNNING UNDER SVCHOST.EXE


EXE KEY MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


CHECKING SELECT POLICIES KEYS


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetActiveDesktop"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"EnableLUA"=dword:00000000


LOOKING FOR REPLACED FILES

Looking for atapi.sys

C:\WINDOWS\I386\
atapi.sy_ Wed Aug 4 2004 11:00:00a A.... 49,558 48.39 K

C:\XPSETUP\I386\
atapi.sy_ Wed Aug 4 2004 11:00:00a A.... 49,558 48.39 K

C:\WINDOWS\SYSTEM32\DRIVERS\
atapi.sys Wed Aug 4 2004 11:00:00a A.... 95,360 93.13 K

D:\MININT\SYSTEM32\DRIVERS\
atapi.sys Thu Aug 29 2002 5:00:00a ..... 86,912 84.88 K

D:\WINDOWS\SYSTEM32\DRIVERS\
atapi.sys Wed Aug 4 2004 11:00:00a A.... 95,360 93.13 K

5 items found: 5 files, 0 directories.
Total of file sizes: 376,748 bytes 367.92 K

Looking for cngaudit.dll

No matches found.

Looking for eventlog.dll

C:\WINDOWS\I386\
eventlog.dl_ Wed Aug 4 2004 11:00:00a A.... 30,131 29.42 K

C:\WINDOWS\SYSTEM32\
eventlog.dll Wed Aug 4 2004 11:00:00a A.... 55,808 54.50 K

C:\XPSETUP\I386\
eventlog.dl_ Wed Aug 4 2004 11:00:00a A.... 30,131 29.42 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
eventlog.dll Wed Aug 4 2004 11:00:00a A.... 55,808 54.50 K

D:\WINDOWS\SYSTEM32\
eventlog.dll Wed Aug 4 2004 11:00:00a A.... 55,808 54.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 227,686 bytes 222.35 K

Looking for imm32.dll

C:\WINDOWS\I386\
imm32.dl_ Wed Aug 4 2004 11:00:00a A.... 46,094 45.01 K

C:\WINDOWS\SYSTEM32\
imm32.dll Wed Aug 4 2004 11:00:00a A.... 110,080 107.50 K

C:\XPSETUP\I386\
imm32.dl_ Wed Aug 4 2004 11:00:00a A.... 46,094 45.01 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
imm32.dll Wed Aug 4 2004 11:00:00a A.... 110,080 107.50 K

D:\WINDOWS\SYSTEM32\
imm32.dll Wed Aug 4 2004 11:00:00a A.... 110,080 107.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 422,428 bytes 412.53 K

Looking for logevent.dll

No matches found.

Looking for netlogon.dll

C:\WINDOWS\I386\
netlogon.dl_ Wed Aug 4 2004 11:00:00a A.... 181,419 177.16 K

C:\WINDOWS\SYSTEM32\
netlogon.dll Wed Aug 4 2004 11:00:00a A.... 407,040 397.50 K

C:\XPSETUP\I386\
netlogon.dl_ Wed Aug 4 2004 11:00:00a A.... 181,419 177.16 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
netlogon.dll Wed Aug 4 2004 11:00:00a A.... 407,040 397.50 K

D:\WINDOWS\SYSTEM32\
netlogon.dll Wed Aug 4 2004 11:00:00a A.... 407,040 397.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,583,958 bytes 1.51 M

Looking for ntelogon.dll

No matches found.

Looking for qmgr.dll

C:\WINDOWS\I386\
qmgr.dl_ Wed Aug 4 2004 11:00:00a A.... 145,881 142.46 K
qmgr.in_ Wed Aug 4 2004 11:00:00a A.... 1,951 1.90 K

C:\WINDOWS\INF\
qmgr.inf Wed Aug 4 2004 11:00:00a A.... 6,140 5.99 K
qmgr.pnf Sat Oct 10 2009 2:24:52p A.... 11,416 11.15 K

C:\WINDOWS\SYSTEM32\
qmgr.dll Wed Aug 4 2004 11:00:00a A.... 382,464 373.50 K

C:\XPSETUP\I386\
qmgr.dl_ Wed Aug 4 2004 11:00:00a A.... 145,881 142.46 K
qmgr.in_ Wed Aug 4 2004 11:00:00a A.... 1,951 1.90 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
qmgr.dll Wed Aug 4 2004 11:00:00a A.... 382,464 373.50 K

D:\WINDOWS\INF\
qmgr.inf Wed Aug 4 2004 11:00:00a A.... 6,140 5.99 K

D:\I386\APPS\APP25887\
qmgr.cab Tue Dec 7 2004 3:25:00a A.... 79,041 77.19 K
qmgr.inf Tue Dec 7 2004 3:25:00a A.... 2,149 2.10 K

11 items found: 11 files, 0 directories.
Total of file sizes: 1,165,478 bytes 1.11 M

Looking for rasauto.dll

C:\WINDOWS\I386\
rasauto.dl_ Wed Aug 4 2004 11:00:00a A.... 37,552 36.67 K

C:\WINDOWS\SYSTEM32\
rasauto.dll Wed Aug 4 2004 11:00:00a A.... 89,088 87.00 K

C:\XPSETUP\I386\
rasauto.dl_ Wed Aug 4 2004 11:00:00a A.... 37,552 36.67 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
rasauto.dll Wed Aug 4 2004 11:00:00a A.... 89,088 87.00 K

D:\WINDOWS\SYSTEM32\
rasauto.dll Wed Aug 4 2004 11:00:00a A.... 89,088 87.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 342,368 bytes 334.34 K

Looking for scecli.dll

C:\WINDOWS\I386\
scecli.dl_ Wed Aug 4 2004 11:00:00a A.... 71,807 70.12 K

C:\WINDOWS\SYSTEM32\
scecli.dll Wed Aug 4 2004 11:00:00a A.... 180,224 176.00 K

C:\XPSETUP\I386\
scecli.dl_ Wed Aug 4 2004 11:00:00a A.... 71,807 70.12 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
scecli.dll Wed Aug 4 2004 11:00:00a A.... 180,224 176.00 K

D:\WINDOWS\SYSTEM32\
scecli.dll Wed Aug 4 2004 11:00:00a A.... 180,224 176.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 684,286 bytes 668.25 K

Looking for sceclt.dll

No matches found.

Looking for sfcfiles.dll

C:\WINDOWS\I386\
sfcfiles.dl_ Wed Aug 4 2004 11:00:00a A.... 79,843 77.97 K

C:\WINDOWS\SYSTEM32\
sfcfiles.dll Wed Aug 4 2004 11:00:00a A.... 1,580,544 1.50 M

C:\XPSETUP\I386\
sfcfiles.dl_ Wed Aug 4 2004 11:00:00a A.... 79,843 77.97 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
sfcfiles.dll Wed Aug 4 2004 11:00:00a A.... 1,580,544 1.50 M

D:\WINDOWS\SYSTEM32\
sfcfiles.dll Wed Aug 4 2004 11:00:00a A.... 1,580,544 1.50 M

5 items found: 5 files, 0 directories.
Total of file sizes: 4,901,318 bytes 4.67 M

LOOKING FOR SUSPICIOUS FILES


No matches found.

No matches found.

No matches found.

No matches found.

No matches found.

No matches found.

SEARCH AND DESTROY KNOWN FILES

Looking for windows Police Pro.exe

No matches found.
Looking for Windows Antivirus Pro.exe

No matches found.
Looking for ~.exe

No matches found.
Looking for bennuar.old

No matches found.
Looking for bincd32.dat

No matches found.
Looking for braviax.exe

No matches found.

No matches found.
Looking for cru629.dat

No matches found.

No matches found.
Looking for dbsinit.exe

No matches found.

No matches found.
Looking for dddesot.dll

No matches found.
Looking for desot.exe

No matches found.
Looking for desote.exe

No matches found.
Looking for ppp3.dat

No matches found.
Looking for ppp4.dat

No matches found.
Looking for qcfbc.wbg

No matches found.
Looking for _scui.cpl

No matches found.
Looking for sysnet.dat

No matches found.
Looking for svchast.exe

No matches found.
Looking for svchasts.exe

No matches found.
Looking for wisdstr.exe

No matches found.
Looking for wispex.html

No matches found.
Looking for wiwow64.exe

No matches found.

EXE KEY STILL MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


SUSPECT REG KEYS

Nothing Found By This Tool!

CHECKING MBAM

C:\PROGRA~1\MALWAR~1\
mbam.exe Thu Sep 10 2009 2:53:56p A.... 1,312,080 1.25 M

1 item found: 1 file, 0 directories.
Total of file sizes: 1,312,080 bytes 1.25 M
*******************************************************************************
File: C:\Program Files\malwarebytes' anti-malware\mbam.exe

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
SHAUN\Users
Allowed Read and Execute This Folder/File Only (Inherited)
SHAUN\Administrators
Allowed Full Control This Folder/File Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Folder/File Only (Inherited)
SHAUN\Owner
Allowed Full Control This Folder/File Only (Inherited)

No Auditing set

Owner: Owner (SHAUN\Owner)

0

heres the log

Well . . .I need to update that a bit LOL!

Anyhoo, I think it shows enough to get started.


Are you able to get a command prompt on the ill computer?
START > RUN > Type cmd OK

PP:)

0

I've got to run, so I'll assume you can get a command prompt.

Let's do this:

Open a command prompt and type the following exactly as I have posted it. Copy and paste would be better so you don't miss any spaces. (If C&P is not an option on ill machine, you might want to copy and paste to notepad on your working machine so you can see the spaces better before typing them)
Obviously you want to hit ENTER after each line and, if prompted to delete or allow over-write, say yes. Let me know of any errors that come up::

TSKILL "svchust" /A

DEL /F C:\WINDOWS\svchust.exe

COPY C:\WINDOWS\I386\atapi.sy_ C:\WINDOWS\system32\drivers\atapi.sys

Now, see if Combofix will run. If not, try MBAM. If either runs, please post the log. Be sure to update MBAM before running, if possible.

If neither runs, REBOOT the ill machine and then try to run them again.

Let me know how you fare - I'll check back as time permits.

PP:)

Edited by PhilliePhan: n/a

0

its not working heres a copy of my

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner> TSKILL "svchust" /A
End Process failed for svchust:Access is denied.


C:\Documents and Settings\Owner> DEL /F C:\WINDOWS\svchust.exe
C:\WINDOWS\svchust.exe
Access is denied.

C:\Documents and Settings\Owner> COPY C:\WINDOWS\I386\atapi.sy_ C:\WINDOWS\syste
m32\drivers\atapi.sys
Overwrite C:\WINDOWS\system32\drivers\atapi.sys? (Yes/No/All): yes
The process cannot access the file because it is being used by another process.
0 file(s) copied.

C:\Documents and Settings\Owner>

0

i havent tried this but i know where my i386 couldint i just overwrite the the bad atapi.sys file from there myself

0

i havent tried this but i know where my i386 couldint i just overwrite the the bad atapi.sys file from there myself

It may not allow you to do so. No worries - we'll do it a different way.

-- Open task manager and see if you can stop svchust.exe from running. Note the spelling.
Let me know.

-- Also, try this at command prompt:
EXPAND C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys

if that doesn't work, try:
COPY C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys


PP:)

Edited by PhilliePhan: n/a

0

I am going to be away from the computer for a while, so I'll assume you were able to copy atapi.sys to C:\atapi.sys as in post #56.


If it is not still on the ill machine, please download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:



Files to delete:
C:\WINDOWS\svchust.exe

Files to move:
C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

** If you have to type the commands, please note the spaces.

If Avenger runs successfully, please give combofix another go. See if you are able to download a new copy via the ill computer now.

If you ARE able to download a fresh copy, do this:

If you already have Combofix on the ill machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to iexplore.exe and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!


Let me know how you fare - will check back as time permits.

PP:)

0

ok i stopped svchust and enterd the command heres the log

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>EXPAND C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys
Microsoft (R) File Expansion Utility Version 5.1.2600.0
Copyright (C) Microsoft Corp 1990-1999. All rights reserved.

Expanding c:\windows\i386\atapi.sy_ to c:\atapi.sys.
c:\windows\i386\atapi.sy_: 49558 bytes expanded to 95360 bytes, 92% increase.


C:\Documents and Settings\Owner>
if that helps any and i haven't mentioned before but this virus is making my mouse act funny its really annoying!

0

ok i stopped svchust and enterd the command heres the log

Great!

Now, do the Avenger step from post #57 and see if combofix will run.

Let me know how you fare.

PP:)

0

ok i did what you said and my computer still freezes when i connect to the internet and i still cant run combofix heres the avenger log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\svchust.exe" deleted successfully.
File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.