Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus And Malware Today


  • This topic is locked This topic is locked
29 replies to this topic

#1 buschdog81

buschdog81

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 23 August 2007 - 11:31 AM

I tried every pre scan recommended and restore point is off.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:33 AM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\zFTPServer\zFTPServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\lsdsrngp.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\nwintmdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\323112\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by FNTS
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {396A0534-A87D-4D06-B4A7-5CB551856E49} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\aosseeev.dll
O2 - BHO: (no name) - {4614B16D-1789-4E64-B2F7-0EE034B0328D} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {6543FC7E-9344-424C-AEEB-2581B356075D} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7B0C3745-2F04-4A3F-844F-E1470ACA7387} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {87510A82-85FD-4551-9679-618BF3151676} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {BB33F296-DBA0-4FA0-8C7F-1C1CF3B71F3F} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {D343AF4E-1EFC-4A3B-9F74-0BD8B3BB8AF1} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [zFTPServer] "C:\Program Files\zFTPServer\zFTPServer.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{A2-29-9B-BC-ZN}] C:\windows\system32\lsdsrngp.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwintmdt.exe CHD003
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lsdsrngp.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\nwintmdt.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) - https://silverback50.fntsclients.com/servle...ex/teechart.cab
O16 - DPF: {462D5053-2D60-4022-B583-7E34AA0F90B7} (ExPopupMenu ActiveX Control) - https://silverback50.fntsclients.com/servle...x/popupmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.fnts.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.fnts.com
O20 - AppInit_DLLs: 6741f5de
O20 - Winlogon Notify: ursrqrr - ursrqrr.dll (file missing)
O21 - SSODL: jkLVYRp - {880A29BD-22A0-8317-0667-B70A8D9B17B0} - C:\WINDOWS\system32\epj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9432 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:17 PM

Posted 25 August 2007 - 01:18 PM

Hello buschdog81 :thumbsup:

Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.


Regards,
SNOWHITE
Posted Image

#3 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 10:21 AM

Thank you SNOWHITE for taking your time to help with this issue.
I have included the new Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:28 AM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\zFTPServer\zFTPServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\lsdsrngp.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\nwintmdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\323112\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by FNTS
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {396A0534-A87D-4D06-B4A7-5CB551856E49} - C:\WINDOWS\SYSTEM32\DDAYY.DLL (file missing)
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\SYSTEM32\AOSSEEEV.DLL
O2 - BHO: (no name) - {4614B16D-1789-4E64-B2F7-0EE034B0328D} - C:\WINDOWS\SYSTEM32\SSQPN.DLL (file missing)
O2 - BHO: (no name) - {6543FC7E-9344-424C-AEEB-2581B356075D} - C:\WINDOWS\SYSTEM32\VTSQP.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7B0C3745-2F04-4A3F-844F-E1470ACA7387} - C:\WINDOWS\SYSTEM32\SSTQO.DLL (file missing)
O2 - BHO: (no name) - {87510A82-85FD-4551-9679-618BF3151676} - C:\WINDOWS\SYSTEM32\PMKHE.DLL (file missing)
O2 - BHO: (no name) - {BB33F296-DBA0-4FA0-8C7F-1C1CF3B71F3F} - C:\WINDOWS\SYSTEM32\AWTST.DLL (file missing)
O2 - BHO: (no name) - {D343AF4E-1EFC-4A3B-9F74-0BD8B3BB8AF1} - C:\WINDOWS\SYSTEM32\PMNNL.DLL (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [zFTPServer] "C:\Program Files\zFTPServer\zFTPServer.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{A2-29-9B-BC-ZN}] C:\windows\system32\lsdsrngp.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwintmdt.exe CHD003
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lsdsrngp.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\nwintmdt.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) - https://silverback50.fntsclients.com/servle...ex/teechart.cab
O16 - DPF: {462D5053-2D60-4022-B583-7E34AA0F90B7} (ExPopupMenu ActiveX Control) - https://silverback50.fntsclients.com/servle...x/popupmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.fnts.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.fnts.com
O20 - AppInit_DLLs: 6741f5de
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ursrqrr - ursrqrr.dll (file missing)
O21 - SSODL: jkLVYRp - {880A29BD-22A0-8317-0667-B70A8D9B17B0} - C:\WINDOWS\system32\epj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9819 bytes

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:17 PM

Posted 26 August 2007 - 03:43 PM

Hello buschdog81,

Please follow the steps below exactly in the order they are written:

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post back with combofix report and fresh HijackThis log.

Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#5 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 04:39 PM

Snowhite
I got what you have requested.
ComboFix and Hijackthis logs.

ComboFix 07-08-23.5 - "323112" 2007-08-26 16:27:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.394 [GMT -5:00]

ADS removed - svchost.exe: deleted 51712 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\323112\APPLIC~1\install.dat
C:\DOCUME~1\323112\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\323112\STARTM~1\Programs\Startup\ta_start.lnk
C:\DOCUME~1\323112\STARTM~1\Programs\Startup\think-adz.lnk
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Temp\fse
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\aosseeev.dll
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
C:\WINDOWS\system32\drivers\asc3550u.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nwintmdt.exe
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_ICF
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\NtmlSvc
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 16:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 17:24 <DIR> d-------- C:\Program Files\CCleaner
2007-08-23 10:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 10:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 10:37 <DIR> d-------- C:\DOCUME~1\323112\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 07:25 52,762 --a------ C:\WINDOWS\system32\lsdsrngp.exe
2007-08-22 09:31 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-21 11:48 1,589,739 ---hs---- C:\WINDOWS\system32\npqss.bak2
2007-08-20 23:47 6,473 ---hs---- C:\WINDOWS\system32\npqss.bak1
2007-08-20 22:45 <DIR> d-------- C:\Deckard
2007-08-20 22:26 <DIR> d-------- C:\VundoFix Backups
2007-08-20 22:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-20 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 20:35 87,616 --a------ C:\WINDOWS\system32\xecsjnld.dll
2007-08-20 18:23 87,616 --------- C:\WINDOWS\system32\boiaxhvk.dll
2007-08-20 17:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-20 17:53 <DIR> d-------- C:\Program Files\Security Task Manager
2007-08-20 16:27 87,616 --a------ C:\WINDOWS\system32\kmscnhdb.dll
2007-08-20 14:12 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-20 13:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-20 12:50 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-20 12:50 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-20 12:50 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-08-20 12:50 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-20 12:50 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-08-20 12:50 <DIR> d-------- C:\Program Files\Webroot
2007-08-20 12:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-20 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-20 12:50 <DIR> d-------- C:\DOCUME~1\323112\APPLIC~1\Webroot
2007-08-20 11:21 <DIR> d-------- C:\DOCUME~1\323112\APPLIC~1\Tenebril
2007-08-20 11:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-08-20 11:13 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-08-20 11:13 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-08-19 20:12 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-08-19 18:54 87,616 --a------ C:\WINDOWS\system32\buqfogws.dll
2007-08-19 18:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-19 18:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 16:32 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-08-26 16:32 192589 --a------ C:\WINDOWS\system32\owinmmdt.exe
2007-08-26 16:31 52776 --a------ C:\WINDOWS\system32\dwdsrngt.exe
2007-08-19 23:38 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-19 18:17 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-19 18:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-18 17:21 --------- d-------- C:\Program Files\Trillian
2007-08-07 19:40 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\LimeWire
2007-08-07 19:40 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\LimeWire
2007-07-02 08:27 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\Apple Computer
2007-07-02 08:27 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\Apple Computer
2007-06-30 18:45 --------- d-------- C:\Program Files\iTunes
2007-06-30 18:45 --------- d-------- C:\Program Files\iPod
2007-06-30 18:43 --------- d-------- C:\Program Files\Common Files\Apple
2007-06-30 18:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-28 10:58 --------- d-------- C:\Program Files\BillQuick2005


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{396A0534-A87D-4D06-B4A7-5CB551856E49}]
C:\WINDOWS\SYSTEM32\DDAYY.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4614B16D-1789-4E64-B2F7-0EE034B0328D}]
C:\WINDOWS\SYSTEM32\SSQPN.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6543FC7E-9344-424C-AEEB-2581B356075D}]
C:\WINDOWS\SYSTEM32\VTSQP.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B0C3745-2F04-4A3F-844F-E1470ACA7387}]
C:\WINDOWS\SYSTEM32\SSTQO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87510A82-85FD-4551-9679-618BF3151676}]
C:\WINDOWS\SYSTEM32\PMKHE.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB33F296-DBA0-4FA0-8C7F-1C1CF3B71F3F}]
C:\WINDOWS\SYSTEM32\AWTST.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D343AF4E-1EFC-4A3B-9F74-0BD8B3BB8AF1}]
C:\WINDOWS\SYSTEM32\PMNNL.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" []
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" []
"ToolExe"="c:\program files\dell\traytool.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"zFTPServer"="C:\Program Files\zFTPServer\zFTPServer.exe" [2007-04-04 09:29]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"{A2-29-9B-BC-ZN}"="c:\windows\system32\dwdsrngt.exe" [2007-08-26 16:31]
"ExploreUpdSched"="C:\WINDOWS\system32\owinmmdt.exe" [2007-08-26 16:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 21:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\323112\STARTM~1\Programs\Startup\
TA_Start.lnk - C:\WINDOWS\system32\dwdsrngt.exe [2007-08-26 16:31:52]
Think-Adz.lnk - C:\WINDOWS\system32\owinmmdt.exe [2007-08-26 16:32:00]
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-08-20 22:02:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"jkLVYRp"= {880A29BD-22A0-8317-0667-B70A8D9B17B0} - C:\WINDOWS\system32\epj.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrqrr]
ursrqrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=6741f5de

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e87d7412-9f60-11db-8f6a-00059a3c7900}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - ENTDRV51

Contents of the 'Scheduled Tasks' folder
2007-08-25 22:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 16:31:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg

scan completed successfully
hidden files: 4

**************************************************************************

Completion time: 2007-08-26 16:33:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 16:33

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35, on 2007-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\dwdsrngt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\owinmmdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\323112\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {396A0534-A87D-4D06-B4A7-5CB551856E49} - C:\WINDOWS\SYSTEM32\DDAYY.DLL (file missing)
O2 - BHO: (no name) - {4614B16D-1789-4E64-B2F7-0EE034B0328D} - C:\WINDOWS\SYSTEM32\SSQPN.DLL (file missing)
O2 - BHO: (no name) - {6543FC7E-9344-424C-AEEB-2581B356075D} - C:\WINDOWS\SYSTEM32\VTSQP.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7B0C3745-2F04-4A3F-844F-E1470ACA7387} - C:\WINDOWS\SYSTEM32\SSTQO.DLL (file missing)
O2 - BHO: (no name) - {87510A82-85FD-4551-9679-618BF3151676} - C:\WINDOWS\SYSTEM32\PMKHE.DLL (file missing)
O2 - BHO: (no name) - {BB33F296-DBA0-4FA0-8C7F-1C1CF3B71F3F} - C:\WINDOWS\SYSTEM32\AWTST.DLL (file missing)
O2 - BHO: (no name) - {D343AF4E-1EFC-4A3B-9F74-0BD8B3BB8AF1} - C:\WINDOWS\SYSTEM32\PMNNL.DLL (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [zFTPServer] "C:\Program Files\zFTPServer\zFTPServer.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{A2-29-9B-BC-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinmmdt.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) - https://silverback50.fntsclients.com/servle...ex/teechart.cab
O16 - DPF: {462D5053-2D60-4022-B583-7E34AA0F90B7} (ExPopupMenu ActiveX Control) - https://silverback50.fntsclients.com/servle...x/popupmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.fnts.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.fnts.com
O20 - AppInit_DLLs: 6741f5de
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ursrqrr - ursrqrr.dll (file missing)
O21 - SSODL: jkLVYRp - {880A29BD-22A0-8317-0667-B70A8D9B17B0} - C:\WINDOWS\system32\epj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9202 bytes

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:17 PM

Posted 26 August 2007 - 05:05 PM

Hi buschdog81,

:thumbsup: There is a backdoor trojan and rootkits detected on your system. This gives hackers full access to everything stored on the computer!

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.


Regards,
SNOWHITE
Posted Image

#7 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 05:30 PM

Thank you for your help.
That is horrible news.
Can you tell how active the Trojan was?
I was behind a firewall most of the time.

If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.

If the backdoor merely opens a port to listen the risk is slightly lower.

If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.

#8 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 05:55 PM

I would like to remove it first. Thank you.

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:17 PM

Posted 26 August 2007 - 07:55 PM

I would like to remove it first. Thank you.

Alright, it may take a while to clean it, so stick with me until i tell you that the computer is clean.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\lsdsrngp.exe
C:\WINDOWS\system32\npqss.bak2
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\xecsjnld.dll
C:\WINDOWS\system32\boiaxhvk.dll
C:\WINDOWS\system32\kmscnhdb.dll
C:\WINDOWS\system32\buqfogws.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\owinmmdt.exe
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\epj.dll
C:\WINDOWS\SYSTEM32\DDAYY.DLL
C:\WINDOWS\SYSTEM32\SSQPN.DLL
C:\WINDOWS\SYSTEM32\VTSQP.DLL
C:\WINDOWS\SYSTEM32\SSTQO.DLL
C:\WINDOWS\SYSTEM32\PMKHE.DLL


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Reboot.

Step #2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Step #3

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Step #4

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Step #5
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
In your next post please include the following reports:
  • ComboFix report
  • SDFix report
  • GMER report
  • Kaspersky scan report
  • Uninstall list
  • New HijackThis log
Let me know how the things went.

Post back with the reports and i will take a look at them tomorrow, as it is almost 3 in the morning here and i am very tired. :thumbsup:


Regards,
SNOWHITE
Posted Image

#10 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 08:43 PM

Step #1

ComboFix 07-08-23.5 - "323112" 2007-08-26 20:35:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446 [GMT -5:00]
Command switches used :: C:\Documents and Settings\323112\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\lsdsrngp.exe
C:\WINDOWS\system32\npqss.bak2
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\xecsjnld.dll
C:\WINDOWS\system32\boiaxhvk.dll
C:\WINDOWS\system32\kmscnhdb.dll
C:\WINDOWS\system32\buqfogws.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\owinmmdt.exe
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\epj.dll
C:\WINDOWS\SYSTEM32\DDAYY.DLL
C:\WINDOWS\SYSTEM32\SSQPN.DLL
C:\WINDOWS\SYSTEM32\VTSQP.DLL
C:\WINDOWS\SYSTEM32\SSTQO.DLL
C:\WINDOWS\SYSTEM32\PMKHE.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\323112\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\323112\STARTM~1\Programs\Startup\ta_start.lnk
C:\DOCUME~1\323112\STARTM~1\Programs\Startup\think-adz.lnk
C:\WINDOWS\system32\boiaxhvk.dll
C:\WINDOWS\system32\buqfogws.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\kmscnhdb.dll
C:\WINDOWS\system32\lsdsrngp.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.bak2
C:\WINDOWS\system32\owinmmdt.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\xecsjnld.dll
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))


2007-08-26 19:15 19,248 --a------ C:\WINDOWS\system32\drivers\rspsc32.sys
2007-08-26 19:15 <DIR> d-------- C:\Program Files\RootKit Hook Analyzer
2007-08-26 16:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 17:24 <DIR> d-------- C:\Program Files\CCleaner
2007-08-23 10:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 10:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 10:37 <DIR> d-------- C:\DOCUME~1\323112\APPLIC~1\SUPERAntiSpyware.com
2007-08-22 09:31 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-20 22:45 <DIR> d-------- C:\Deckard
2007-08-20 22:26 <DIR> d-------- C:\VundoFix Backups
2007-08-20 22:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-20 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 17:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-20 17:53 <DIR> d-------- C:\Program Files\Security Task Manager
2007-08-20 14:12 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-20 13:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-20 12:50 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-20 12:50 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-20 12:50 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-08-20 12:50 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-20 12:50 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-08-20 12:50 <DIR> d-------- C:\Program Files\Webroot
2007-08-20 12:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-20 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-20 12:50 <DIR> d-------- C:\DOCUME~1\323112\APPLIC~1\Webroot
2007-08-20 11:21 <DIR> d-------- C:\DOCUME~1\323112\APPLIC~1\Tenebril
2007-08-20 11:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-08-20 11:13 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-08-20 11:13 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-08-19 20:12 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-08-19 18:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-19 18:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 23:38 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-19 18:17 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-19 18:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-18 17:21 --------- d-------- C:\Program Files\Trillian
2007-08-07 19:40 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\LimeWire
2007-08-07 19:40 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\LimeWire
2007-07-02 08:27 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\Apple Computer
2007-07-02 08:27 --------- d-------- C:\DOCUME~1\323112\APPLIC~1\Apple Computer
2007-06-30 18:45 --------- d-------- C:\Program Files\iTunes
2007-06-30 18:45 --------- d-------- C:\Program Files\iPod
2007-06-30 18:43 --------- d-------- C:\Program Files\Common Files\Apple
2007-06-30 18:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-28 10:58 --------- d-------- C:\Program Files\BillQuick2005


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{396A0534-A87D-4D06-B4A7-5CB551856E49}]
C:\WINDOWS\SYSTEM32\DDAYY.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4614B16D-1789-4E64-B2F7-0EE034B0328D}]
C:\WINDOWS\SYSTEM32\SSQPN.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6543FC7E-9344-424C-AEEB-2581B356075D}]
C:\WINDOWS\SYSTEM32\VTSQP.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B0C3745-2F04-4A3F-844F-E1470ACA7387}]
C:\WINDOWS\SYSTEM32\SSTQO.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87510A82-85FD-4551-9679-618BF3151676}]
C:\WINDOWS\SYSTEM32\PMKHE.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB33F296-DBA0-4FA0-8C7F-1C1CF3B71F3F}]
C:\WINDOWS\SYSTEM32\AWTST.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D343AF4E-1EFC-4A3B-9F74-0BD8B3BB8AF1}]
C:\WINDOWS\SYSTEM32\PMNNL.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" []
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" []
"ToolExe"="c:\program files\dell\traytool.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"zFTPServer"="C:\Program Files\zFTPServer\zFTPServer.exe" [2007-04-04 09:29]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"{A2-29-9B-BC-ZN}"="c:\windows\system32\dwdsrngt.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 21:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\323112\STARTM~1\Programs\Startup\
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-08-20 22:02:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"jkLVYRp"= {880A29BD-22A0-8317-0667-B70A8D9B17B0} - C:\WINDOWS\system32\epj.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrqrr]
ursrqrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=6741f5de

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e87d7412-9f60-11db-8f6a-00059a3c7900}]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-08-25 22:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 20:38:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 20:40:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 20:40
C:\ComboFix2.txt ... 2007-08-26 16:33

--- E O F ---

#11 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 09:07 PM

STEP #2


SDFix: Version 1.100

Run by 323112 on 2007-08-26 at 20:59

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Deckard\System Scanner\backup\DOCUME~1\323112\LOCALS~1\Temp\Juniper Networks\setup\NeoterisSetupApp.exe
C:\Deckard\System Scanner\backup\WINDOWS\temp\$b17a2e8.tmp
C:\Documents and Settings\323112\Desktop\GB\misc\~WRL0001.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished

#12 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 26 August 2007 - 09:17 PM

STEP # 3


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-26 21:15:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 86FCF1F8 ZwAllocateVirtualMemory
SSDT 86FD2588 ZwCreateKey
SSDT 86FAB438 ZwCreateProcess
SSDT 86FDB020 ZwCreateProcessEx
SSDT 85C5D109 ZwCreateThread
SSDT 86F95190 ZwDeleteKey
SSDT 86FD2410 ZwDeleteValueKey
SSDT 86FCF270 ZwQueueApcThread
SSDT 86F19FA8 ZwReadVirtualMemory
SSDT 86FC7020 ZwRenameKey
SSDT 86FCF360 ZwSetContextThread
SSDT 86FDC288 ZwSetInformationKey
SSDT 86F93670 ZwSetInformationProcess
SSDT 86FCF3D8 ZwSetInformationThread
SSDT 86FD2020 ZwSetValueKey
SSDT 86F935F8 ZwSuspendProcess
SSDT 86FCF2E8 ZwSuspendThread
SSDT 86F1CE50 ZwTerminateProcess
SSDT 86FCF450 ZwTerminateThread
SSDT 86FCF180 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\Explorer.EXE[344] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[772] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[844] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Messenger\Msmsgs.exe[1004] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1308] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1320] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1504] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ F7, FB, C3, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1588] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1960] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\wuauclt.exe[3016] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[3292] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!WriteFile 7C810D87 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] kernel32.dll!WinExec 7C86136D 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WININET.dll!InternetOpenA 771C58BA 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WININET.dll!InternetOpenUrlA 771C5B86 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WININET.dll!InternetReadFile 771C810A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WS2_32.dll!select 71AB2DC0 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WS2_32.dll!socket 71AB3B91 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WS2_32.dll!bind 71AB3E00 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WS2_32.dll!send 71AB428A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3464] WS2_32.dll!recv 71AB615A 5 Bytes CALL 37001160 C:\WINDOWS\system32\EntApi.dll

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86F19D78
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 86F19D78
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 86F19D78
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 86F19D78
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 86F19D78
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 86F19DF0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 86F19D78

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F74FDE40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [EFD2B7E0] naiavf5x.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [EFD2B7E0] naiavf5x.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 86AFA0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 86AF90A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 86AF80A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 86AF10A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 86AF00A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 86AEF0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 86AF70A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 86AF60A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 86AF50A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 86AF40A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 86AEE0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 86AF20A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 86B070A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 86B060A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 86B050A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 86B040A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 86B020A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 86B000A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 86AFF0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 86B010A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 86AFE0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 86AFD0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 86AFC0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 86AFB0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 86B0E0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 86B0D0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 86B0C0A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 86B0B0A8

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F75C0A90] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F75C0AB0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F75C0B10] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F75C0AF0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F75C0AD0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F75C0510] mvstdi5x.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 86AFA0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 86AF90A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 86AF80A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 86AF10A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 86AF00A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 86AEF0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 86AF70A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 86AF60A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 86AF50A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 86AF40A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 86AEE0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 86AF20A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 86B070A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 86B060A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 86B050A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 86B040A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 86B020A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 86B000A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 86AFF0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 86B010A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 86AFE0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 86AFD0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 86AFC0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 86AFB0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 86B0E0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 86B0D0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 86B0C0A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 86B0B0A8

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F75C0A90] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F75C0AB0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F75C0B10] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F75C0AF0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F75C0AD0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F75C0510] mvstdi5x.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 86AFA0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 86AF90A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 86AF80A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 86AF10A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 86AF00A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 86AEF0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 86AF70A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 86AF60A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 86AF50A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 86AF40A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 86AEE0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 86AF20A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 86B070A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 86B060A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 86B050A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 86B040A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 86B020A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 86B000A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 86AFF0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 86B010A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 86AFE0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 86AFD0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 86AFC0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 86AFB0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 86B0E0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 86B0D0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 86B0C0A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 86B0B0A8

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F75C0A90] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F75C0AB0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F75C0B10] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F75C0AF0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F75C0AD0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F75C0510] mvstdi5x.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 86AFA0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 86AF90A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 86AF80A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 86AF10A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 86AF00A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 86AEF0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 86AF70A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 86AF60A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 86AF50A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 86AF40A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 86AEE0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 86AF20A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 86B070A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 86B060A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 86B050A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 86B040A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 86B020A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 86B000A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 86AFF0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 86B010A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 86AFE0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 86AFD0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 86AFC0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 86AFB0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 86B0E0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 86B0D0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 86B0C0A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 86B0B0A8

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F75C0A90] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F75C0AB0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F75C0B10] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F75C0AF0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F75C0AD0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F75C0510] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F75C0510] mvstdi5x.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 86AFA0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 86AF90A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 86AF80A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 86AF10A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 86AF00A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 86AEF0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 86AF70A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 86AF60A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 86AF50A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 86AF40A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 86AEE0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 86AF20A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 86B070A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 86B060A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 86B050A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 86B040A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 86B020A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 86B000A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 86AFF0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 86B010A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 86AFE0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 86AFD0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 86AFC0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 86AFB0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 86B0E0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 86B0D0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 86B0C0A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 86B0B0A8

---- EOF - GMER 1.0.13 ----

#13 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 27 August 2007 - 07:22 AM

STEP # 4


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-08-27 07:21
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/08/2007
Kaspersky Anti-Virus database records: 391830
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 60663
Number of viruses found: 11
Number of infected objects: 22
Number of suspicious objects: 2
Duration of the scan process: 01:06:37

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\323112\LOCALS~1\Temp\yazzlesnet.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Deckard\System Scanner\backup\DOCUME~1\323112\LOCALS~1\Temp\yazzlesnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\323112\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\323112\Desktop\SolarWinds-TFTP-Server.exe/WISE0048.BIN Infected: not-a-virus:Server-FTP.Win32.Tftp.500 skipped
C:\Documents and Settings\323112\Desktop\SolarWinds-TFTP-Server.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\323112\Desktop\SolarWinds-TFTP-Server.exe WiseSFX Dropper: infected - 1 skipped
C:\Documents and Settings\323112\Desktop\Tech Center Services\Network Team\SolarWinds8.0\SolarWinds-EE-V8-Release.exe/WISE0327.BIN Infected: not-a-virus:Server-FTP.Win32.Tftp.500 skipped
C:\Documents and Settings\323112\Desktop\Tech Center Services\Network Team\SolarWinds8.0\SolarWinds-EE-V8-Release.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\323112\Desktop\Tech Center Services\Network Team\SolarWinds8.0\SolarWinds-EE-V8-Release.exe WiseSFX Dropper: infected - 1 skipped
C:\Documents and Settings\323112\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\323112\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\323112\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\323112\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\323112\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\323112\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070826_Time-210205968_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070826_Time-210205968_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_FNTSBUSCH.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_FNTSBUSCH.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\asc3550u.sys.vir Infected: Rootkit.Win32.Agent.hj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lsdsrngp.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nwintmdt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\owinmmdt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir Infected: Trojan-Clicker.Win32.Costrat.e skipped
C:\quarantine\Quicken 2007 R1 Deluxe.zip.Vir/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\quarantine\Quicken 2007 R1 Deluxe.zip.Vir ZIP: infected - 1 skipped
C:\quarantine\spoolsvv.exe.Vir Infected: Email-Worm.Win32.Zhelatin.gz skipped
C:\quarantine\spoolsvv.exe.Vir.0 Infected: Email-Worm.Win32.Zhelatin.gz skipped
C:\quarantine\xpupdate.exe.Vir Infected: Packed.Win32.Tibs.bk skipped
C:\quarantine\xpupdate.exe.Vir.0 Infected: Packed.Win32.Tibs.bk skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\potmvire.exe.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#14 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 27 August 2007 - 07:24 AM

Ad-Aware 2007
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BillQuick 2005
BitTornado 0.3.18
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
Cisco SSL VPN Client
Cisco Systems VPN Client 4.8.01.0300
C-Major Audio
Conexant D110 MDC V.92 Modem
Dell Printer Software Uninstall
Easy CD Creator 5 Basic
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB319740)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB903234)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB907865)
Hotfix for Windows XP (KB913538)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Intel® PROSet/Wireless Software
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
LimeWire 4.12.11
Malwarebytes' RogueRemover 1.21
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2007
Microsoft Money Shared Libraries
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
mWlsSafe
mWMI
mXML
mZConfig
OutlookAddIn
QBFC3.0
Quicken 2007
RootKit Hook Analyzer 3.02
Security Task Manager 1.7e
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SolarWinds TFTP Server
Spy Sweeper
Spybot - Search & Destroy 1.4
System Requirements Lab
Tera Term Pro
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB897663)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Virtual Earth 3D (Beta)
WebEx
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Messenger 5.1
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip

#15 buschdog81

buschdog81
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 27 August 2007 - 07:25 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:25, on 2007-08-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\zFTPServer\zFTPServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\323112\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {396A0534-A87D-4D06-B4A7-5CB551856E49} - C:\WINDOWS\SYSTEM32\DDAYY.DLL (file missing)
O2 - BHO: (no name) - {4614B16D-1789-4E64-B2F7-0EE034B0328D} - C:\WINDOWS\SYSTEM32\SSQPN.DLL (file missing)
O2 - BHO: (no name) - {6543FC7E-9344-424C-AEEB-2581B356075D} - C:\WINDOWS\SYSTEM32\VTSQP.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7B0C3745-2F04-4A3F-844F-E1470ACA7387} - C:\WINDOWS\SYSTEM32\SSTQO.DLL (file missing)
O2 - BHO: (no name) - {87510A82-85FD-4551-9679-618BF3151676} - C:\WINDOWS\SYSTEM32\PMKHE.DLL (file missing)
O2 - BHO: (no name) - {BB33F296-DBA0-4FA0-8C7F-1C1CF3B71F3F} - C:\WINDOWS\SYSTEM32\AWTST.DLL (file missing)
O2 - BHO: (no name) - {D343AF4E-1EFC-4A3B-9F74-0BD8B3BB8AF1} - C:\WINDOWS\SYSTEM32\PMNNL.DLL (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ToolExe] c:\program files\dell\traytool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [zFTPServer] "C:\Program Files\zFTPServer\zFTPServer.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{A2-29-9B-BC-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) - https://silverback50.fntsclients.com/servle...ex/teechart.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {462D5053-2D60-4022-B583-7E34AA0F90B7} (ExPopupMenu ActiveX Control) - https://silverback50.fntsclients.com/servle...x/popupmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.fnts.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.fnts.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.fnts.com
O20 - AppInit_DLLs: 6741f5de
O20 - Winlogon Notify: ursrqrr - ursrqrr.dll (file missing)
O21 - SSODL: jkLVYRp - {880A29BD-22A0-8317-0667-B70A8D9B17B0} - C:\WINDOWS\system32\epj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8915 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users