Serious challenge for the malware fighters
Page 1 of 3 123 LastLast
Results 1 to 15 of 43

Thread: Serious challenge for the malware fighters

  1. #1
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063

    Serious challenge for the malware fighters

    I have a PC that appears to have a rootkit on it. Symptoms include the following:

    AVG control and test programs have been deleted. Updates cannot be downloaded for any antispyware software. Any antimalware software running in normal mode does not find anything, or doesn't finish scanning, or cannot delete anything including cookies. Cannot create new folders on the hard drive or delete any files. You get the idea.

    I tried connecting the hard drive to a clean PC as a slave drive and scanning it. Nothing of any consequence was found beyond a few cookies.

    I was finally able to get MalwareBytes and SuperAntispyware installed. The logs from those are attached, although probably not of much use. I will try to obtain a HijackThis log next.


    Malwarebytes' Anti-Malware 1.33
    Database version: 1654
    Windows 5.0.2195 Service Pack 4

    2/16/2009 9:19:09 PM
    mbam-log-2009-02-16 (21-19-09).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 126890
    Time elapsed: 3 hour(s), 4 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  2. #2
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/16/2009 at 02:37 AM

    Application Version : 4.25.1012

    Core Rules Database Version : 3758
    Trace Rules Database Version: 1721

    Scan type : Complete Scan
    Total Scan Time : 03:50:32

    Memory items scanned : 261
    Memory threats detected : 0
    Registry items scanned : 6682
    Registry threats detected : 0
    File items scanned : 79039
    File threats detected : 1

    Adware.Tracking Cookie
    C:\Documents and Settings\User\Cookies\user@socialmedia[2].txt

  3. #3
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2009-02-16 21:27:24
    Windows 5.0.2195 Service Pack 4


    ---- System - GMER 1.0.14 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xEB43087E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xEB430C10]

    ---- User IAT/EAT - GMER 1.0.14 ----

    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegSetValueExW] [100042E0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegCreateKeyW] [10004A90] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegOpenKeyW] [10004E70] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegCreateKeyExW] [10005040] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [ADVAPI32.DLL!RegOpenKeyExA] [10003760] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\explorer.exe [USER32.DLL!ExitWindowsEx] [100060F0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyW] [10004E70] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegSetValueExA] [10003F20] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] [100037D0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] [10003760] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegCreateKeyExW] [10005040] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegSetValueExW] [100042E0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueExW] [100042E0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueW] [10005410] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueExA] [10003F20] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExA] [100037D0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyA] [10004770] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyW] [10004A90] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExW] [10005040] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyA] [10003AF0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyW] [10004E70] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueA] [10003BB0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExA] [10003760] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\psapi.dll [KERNEL32.DLL!LoadLibraryA] [10005810] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\psapi.dll [KERNEL32.DLL!FreeLibrary] [10005C00] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\psapi.dll [KERNEL32.DLL!GetProcAddress] [10005C80] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

  4. #4
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\explorer.exe[532] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Disk sectors - GMER 1.0.14 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.14 ----

  5. #5
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts.
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.

  6. #6
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    Broni,

    Thanks for the reply. I should mention that this PC does have some software installed that may show up as a rootkit in the MBR. RestoreIt! from the link below is installed. However, this software was working properly prior to the appearance of the problem. I still think the PC has a rootkit as well however. I will post the log frm mbr.exe as well as a HijackThis log later today.

    http://www.farstone.com/software/restoreit.htm

  7. #7
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    No problem

  8. #8
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    MBR Log - Safe Mode

    Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    copy of MBR has been found in sector 1 !


    ---------------------------------------------------

    MBR Log - Normal Mode:

    Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    copy of MBR has been found in sector 1 !

  9. #9
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    HijackThis Log - Safe Mode:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:07:12 PM, on 2/17/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Safe mode

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Documents and Settings\User\Desktop\Spy Ware\LowJillThat.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/r/internal/start/client/RAND
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
    O4 - HKLM\..\Run: [IconLock] C:\Program Files\IconLock\ICONLOCK.EXE
    O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE" VBStart
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AEA29D6-99A0-4339-9253-2C8931F61AFB}: NameServer = 69.20.128.5,69.20.129.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{940D27D2-0C9E-4DF6-9D57-CEE0FB553137}: NameServer = 69.20.128.5,69.20.129.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AEA29D6-99A0-4339-9253-2C8931F61AFB}: NameServer = 69.20.128.5,69.20.129.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0AEA29D6-99A0-4339-9253-2C8931F61AFB}: NameServer = 69.20.128.5,69.20.129.5
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
    O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
    O23 - Service: YEDIScan - Unknown owner - C:\WINNT\system32\YEDIScan.exe
    O24 - Desktop Component 0: (no name) - http://photo-origin.tickle.com/image...O378483079.jpg

    --
    End of file - 8729 bytes

  10. #10
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    HijackThis Log - Normal Mode:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:15:23 PM, on 2/17/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\YEDIScan.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\PROMon.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\WINNT\system32\desk95.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
    C:\Program Files\IconLock\ICONLOCK.EXE
    C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINNT\system32\cmd.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    C:\Documents and Settings\User\Desktop\Spy Ware\LowJillThat.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/r/internal/start/client/RAND
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: IconHlprObj Class - {03183603-F684-11d2-A17F-00A0C90AE44B} - C:\PROGRA~1\IconLock\LockHlpr.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
    O4 - HKLM\..\Run: [IconLock] C:\Program Files\IconLock\ICONLOCK.EXE
    O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE" VBStart
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AEA29D6-99A0-4339-9253-2C8931F61AFB}: NameServer = 69.20.128.5,69.20.129.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{940D27D2-0C9E-4DF6-9D57-CEE0FB553137}: NameServer = 69.20.128.5,69.20.129.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AEA29D6-99A0-4339-9253-2C8931F61AFB}: NameServer = 69.20.128.5,69.20.129.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0AEA29D6-99A0-4339-9253-2C8931F61AFB}: NameServer = 69.20.128.5,69.20.129.5
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
    O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
    O23 - Service: YEDIScan - Unknown owner - C:\WINNT\system32\YEDIScan.exe
    O24 - Desktop Component 0: (no name) - http://photo-origin.tickle.com/image...O378483079.jpg

    --
    End of file - 10245 bytes

  11. #11
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    GMer Log - Normal Mode, Part 1 of 4



    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2009-02-17 21:22:19
    Windows 5.0.2195 Service Pack 4


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xB7093040]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB708F930]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xB709AA80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xB7093510]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xB7099870]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xB709CFD0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xB7093600]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB708FF20]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xB709B6E0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xB709B440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xB7099580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB709B8B0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB708FD70]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xB7099350]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xB7099150]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB709BCB0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xB7092C00]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB709C080]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xB7093220]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB7090120]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xB709B140]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB7047F20]

    ---- Kernel code sections - GMER 1.0.14 ----

    ? srescan.sys The system cannot find the file specified. !
    ? C:\DOCUME~1\User\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7097CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7097E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B70981C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7098320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7097CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B70981C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7098320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7097E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7097CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7098320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B70981C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B70A5330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B7090670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B70905C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B7090770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B70902D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Last edited by jdc2000; February 18th, 2009 at 01:12 AM.

  12. #12
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    GMer Log - Normal Mode, Part 2 of 4




    ---- User IAT/EAT - GMER 1.0.14 ----

    IAT C:\Personnal\Downloaded Programs\GMer\02-14-09\gmer.exe[684] @ C:\WINNT\system32\USER32.DLL [KERNEL32.dll!GetLogicalDrives] [01221000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\system32\PROMon.exe[1116] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [01071000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\system32\PROMon.exe[1116] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [01071000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [015B1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [015B1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegSetValueExW] [100042E0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegCreateKeyW] [10004A90] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegOpenKeyW] [10004E70] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegCreateKeyExW] [10005040] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegOpenKeyExA] [10003760] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\Explorer.EXE [USER32.DLL!ExitWindowsEx] [100060F0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyW] [10004E70] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegSetValueExA] [10003F20] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] [100037D0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] [10003760] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegCreateKeyExW] [10005040] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegSetValueExW] [100042E0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.DLL!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [033B1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCloseKey] [10003B50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueExW] [100042E0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueW] [10005410] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueExA] [10003F20] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExA] [100037D0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyA] [10004770] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyW] [10004A90] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExW] [10005040] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyA] [10003AF0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyW] [10004E70] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExW] [10004F50] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegSetValueA] [10003BB0] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExA]

  13. #13
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    GMer Log - Normal Mode, Part 3 of 4


    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\psapi.dll [KERNEL32.DLL!LoadLibraryA] [10005810] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\psapi.dll [KERNEL32.DLL!FreeLibrary] [10005C00] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\psapi.dll [KERNEL32.DLL!GetProcAddress] [10005C80] C:\WINNT\system32\APITRAP.DLL (Apitrap/Symantec Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [033B1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\WINNT\Explorer.EXE[1500] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
    IAT C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1616] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [0FED1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1616] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [0FED1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe[1704] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [00EF1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe[1704] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [00EF1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\system32\atiptaxx.exe[1708] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [011B1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\system32\atiptaxx.exe[1708] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [011B1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\system32\desk95.exe[1716] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [00C61000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\WINNT\system32\desk95.exe[1716] @ C:\WINNT\system32\SHELL32.DLL [KERNEL32.dll!GetLogicalDrives] [00C61000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe[1740] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [01351000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe[1740] @ C:\WINNT\system32\SHELL32.DLL [KERNEL32.dll!GetLogicalDrives] [01351000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe[1748] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [022F1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe[1748] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [022F1000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE[1768] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [00231000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE[1768] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetLogicalDrives] [00231000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Webshots\WebshotsTray.exe[1840] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetLogicalDrives] [00A01000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll
    IAT C:\Program Files\Webshots\WebshotsTray.exe[1840] @ C:\WINNT\system32\SHELL32.DLL [KERNEL32.dll!GetLogicalDrives] [00A01000] C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll

    ---- Devices - GMER 1.0.14 ----

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    AttachedDevice \Driver\Tcpip \Device\Ip Scap.sys (Check Point Software Technologies)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    AttachedDevice \Driver\Tcpip \Device\Tcp Scap.sys (Check Point Software Technologies)

  14. #14
    Join Date
    Feb 2000
    Location
    Idaho Falls, Idaho, USA
    Posts
    18,063
    GMer Log - Normal Mode, Part 4 of 4



    ---- Disk sectors - GMER 1.0.14 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

    ---- EOF - GMER 1.0.14 ----

  15. #15
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Go Start>Run, type in:
    cmd
    Click OK.

    At the DOS prompt type:
    mbr.exe -f (<------make sure you have a space before the -f)
    Hit Enter.

    Type:
    exit
    Hit Enter.

    Restart the computer normally.

    Run the mbr.exe again.
    Post new log.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •