Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think My Pc Is Infected


  • Please log in to reply
21 replies to this topic

#1 BuBMY

BuBMY

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 15 September 2007 - 03:35 AM

Help please!
I run dllcompare.exe to check my PC's *.dll library today after my coworker use it for several days.
The log show lots of unknown files. I think my PC is infected.

DllCompare log and HJT log shown as blow:


1) DllCompare Log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\cdplay~1.man Tue Dec 5 2006 10:39:12 A..HR 749 0.73 K
C:\WINDOWS\SYSTEM32\logonu~1.man Tue Dec 5 2006 10:39:22 A..HR 488 0.48 K
C:\WINDOWS\SYSTEM32\ncpacp~1.man Tue Dec 5 2006 10:39:12 A..HR 749 0.73 K
C:\WINDOWS\SYSTEM32\nwccpl~1.man Tue Dec 5 2006 10:39:12 A..HR 749 0.73 K
C:\WINDOWS\SYSTEM32\sapicp~1.man Tue Dec 5 2006 10:39:12 A..HR 749 0.73 K
C:\WINDOWS\SYSTEM32\window~1.man Tue Dec 5 2006 10:39:22 A..HR 488 0.48 K
C:\WINDOWS\SYSTEM32\wuaucp~1.man Tue Dec 5 2006 10:39:12 A..HR 749 0.73 K
C:\WINDOWS\SYSTEM32\檢視儡鉅.scf Wed Aug 4 2004 20:00:00 A.... 75 0.07 K
C:\WINDOWS\SYSTEM32\CONFIG\tempkey.log Tue Dec 5 2006 18:22:58 A..H. 1,024 1.00 K
C:\WINDOWS\SYSTEM32\RESTORE\filelist.xml Wed Aug 4 2004 20:00:00 ..SHR 19,528 19.07 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\852.cat Thu Mar 27 2003 17:35:16 ..S.. 7,465 7.29 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\fp4.cat Wed Aug 4 2004 20:00:00 A.S.. 31,281 30.55 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\hpcrdp.cat Wed Aug 4 2004 20:00:00 A.S.. 13,472 13.16 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\iasnt4.cat Wed Aug 4 2004 20:00:00 A.S.. 8,574 8.37 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\ich4core.cat Thu Mar 27 2003 17:35:16 ..S.. 7,657 7.48 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\ich4ide.cat Thu Mar 27 2003 17:35:16 ..S.. 7,655 7.47 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\ich4usb.cat Thu Mar 27 2003 17:35:16 ..S.. 7,655 7.47 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\ims.cat Wed Aug 4 2004 20:00:00 A.S.. 14,043 13.71 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb873339.cat Thu Nov 18 2004 2:25:52 ..S.. 11,068 10.81 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb885835.cat Thu Oct 28 2004 9:53:32 ..S.. 15,304 14.95 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb885836.cat Fri Oct 29 2004 8:43:10 ..S.. 11,421 11.15 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb886185.cat Fri Oct 22 2004 1:09:58 ..S.. 10,425 10.18 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb886677.cat Sat Oct 16 2004 5:11:28 ..S.. 10,425 10.18 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb887472.cat Fri Oct 15 2004 7:57:00 ..S.. 10,425 10.18 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb888302.cat Wed Dec 8 2004 4:10:22 ..S.. 11,068 10.81 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb890859.cat Sun Mar 20 2005 14:27:12 ..S.. 18,199 17.77 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb891781.cat Tue Jan 11 2005 9:32:56 ..S.. 11,068 10.81 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb893756.cat Sat Jul 9 2005 7:23:20 ..S.. 12,143 11.86 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb8938~1.cat Wed May 4 2005 14:45:46 ..S.. 29,493 28.80 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb894391.cat Sat May 7 2005 6:45:24 ..S.. 14,316 13.98 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb896358.cat Fri May 27 2005 10:22:24 ..S.. 15,022 14.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb896423.cat Fri Jul 1 2005 0:06:16 ..S.. 11,437 11.17 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb896424.cat Thu Oct 6 2005 11:33:22 ..S.. 12,849 12.55 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb896428.cat Wed May 11 2005 10:52:10 ..S.. 10,786 10.53 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb898461.cat Wed May 18 2005 3:16:10 ..S.. 9,735 9.50 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb899587.cat Fri Jul 1 2005 4:42:02 ..S.. 11,084 10.82 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb899591.cat Thu Jun 30 2005 23:46:02 ..S.. 11,084 10.82 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb900485.cat Thu Feb 16 2006 13:28:56 ..S.. 9,929 9.70 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb900725.cat Thu Sep 29 2005 2:53:14 ..S.. 17,402 16.99 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb901017.cat Sat Sep 10 2005 10:14:50 ..S.. 11,084 10.82 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb901190.cat Wed Oct 19 2005 6:41:08 ..S.. 10,980 10.72 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb901214.cat Wed Jun 29 2005 10:12:38 ..S.. 11,845 11.57 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb902400.cat Tue Jul 26 2005 13:06:30 ..S.. 33,676 32.89 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb904706.cat Sat Oct 29 2005 6:20:22 ..S.. 10,980 10.72 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb904942.cat Fri Mar 24 2006 13:10:54 ..S.. 10,337 10.09 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb905414.cat Tue Aug 23 2005 2:48:12 ..S.. 11,084 10.82 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb905749.cat Tue Aug 23 2005 12:03:20 ..S.. 11,084 10.82 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb908519.cat Wed Oct 19 2005 5:43:40 ..S.. 12,039 11.75 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb908521.cat Fri Nov 11 2005 11:33:20 ..S.. 10,337 10.09 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb908531.cat Tue Apr 18 2006 15:16:50 ..S.. 14,054 13.72 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb910437.cat Fri Dec 2 2005 8:12:32 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb911280.cat Thu Jun 22 2006 19:17:58 ..S.. 13,309 12.99 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb911562.cat Thu Mar 23 2006 14:15:40 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb911564.cat Wed Jan 11 2006 23:01:06 ..S.. 8,792 8.59 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb911567.cat Fri Mar 17 2006 17:24:20 ..S.. 12,455 12.16 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb911927.cat Wed Jan 4 2006 13:39:20 ..S.. 11,223 10.96 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb912919.cat Tue Jan 3 2006 7:09:20 ..S.. 11,223 10.96 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb913580.cat Wed Mar 22 2006 13:19:32 ..S.. 15,945 15.57 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb914388.cat Fri May 19 2006 23:53:48 ..S.. 16,203 15.82 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb914389.cat Fri May 5 2006 22:22:30 ..S.. 12,227 11.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb916595.cat Sat Mar 18 2006 6:56:08 ..S.. 10,337 10.09 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb916846.cat Wed Jun 21 2006 1:00:08 ..S.. 12,525 12.23 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb917344.cat Thu May 18 2006 15:14:54 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb917422.cat Wed Jul 5 2006 20:21:00 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb917953.cat Thu Apr 20 2006 22:41:34 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb918118.cat Mon Nov 27 2006 23:28:54 ..S.. 9,553 9.33 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb918439.cat Fri Jun 2 2006 4:28:38 ..S.. 11,043 10.78 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb919007.cat Thu Jul 13 2006 22:10:24 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920213.cat Mon Oct 16 2006 23:35:16 ..S.. 10,965 10.71 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920214.cat Thu Jul 27 2006 22:00:36 ..S.. 10,337 10.09 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920342.cat Thu Oct 12 2006 0:45:42 ..S.. 13,083 12.77 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920670.cat Fri Jul 21 2006 17:02:30 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920683.cat Tue Jun 27 2006 3:47:32 ..S.. 11,929 11.65 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920685.cat Thu Jun 22 2006 13:54:02 ..S.. 11,929 11.65 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb920872.cat Thu Jul 6 2006 5:37:42 ..S.. 11,857 11.58 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb921398.cat Thu Jul 13 2006 22:23:54 ..S.. 13,050 12.74 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb921503.cat Thu Jun 21 2007 8:08:18 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb922582.cat Mon Aug 21 2006 21:00:04 ..S.. 11,749 11.47 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb922616.cat Fri Jul 14 2006 23:52:42 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb922760.cat Tue Sep 19 2006 13:43:44 ..S.. 22,261 21.74 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb922819.cat Wed Aug 16 2006 20:29:44 ..S.. 14,901 14.55 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb923191.cat Sat Aug 26 2006 1:13:30 ..S.. 13,285 12.97 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb923414.cat Mon Aug 14 2006 23:18:16 ..S.. 10,925 10.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb923694.cat Wed Nov 8 2006 13:23:50 ..S.. 11,671 11.39 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb923980.cat Fri Oct 13 2006 20:55:22 ..S.. 10,965 10.71 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb924191.cat Wed Sep 13 2006 13:23:24 ..S.. 9,435 9.21 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb924270.cat Fri Oct 13 2006 21:32:36 ..S.. 10,259 10.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb924496.cat Mon Sep 4 2006 14:38:10 ..S.. 11,223 10.96 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb924667.cat Sat Jan 20 2007 4:28:58 ..S.. 12,986 12.68 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb925398.cat Thu Sep 14 2006 11:51:20 ..S.. 9,090 8.88 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb925454.cat Sat Nov 18 2006 14:05:22 ..S.. 22,261 21.74 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb925486.cat Mon Sep 18 2006 22:39:56 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb925720.cat Wed Oct 4 2006 22:28:38 ..S.. 11,671 11.39 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb925876.cat Mon Dec 11 2006 22:21:54 ..S.. 15,355 14.99 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb925902.cat Fri Mar 9 2007 0:01:54 ..S.. 13,402 13.09 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb926239.cat Wed Oct 4 2006 22:29:02 ..S.. 9,236 9.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb926255.cat Fri Oct 20 2006 9:51:42 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb926436.cat Wed Nov 8 2006 3:18:10 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb927779.cat Tue Dec 26 2006 22:00:34 ..S.. 10,965 10.71 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb927802.cat Wed Dec 20 2006 3:09:38 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb927891.cat Mon Apr 23 2007 23:30:40 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb928090.cat Thu Jan 25 2007 22:58:52 ..S.. 24,698 24.12 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb928255.cat Wed Dec 20 2006 7:52:34 ..S.. 9,906 9.67 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb928388.cat Sun Nov 19 2006 1:53:16 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb928843.cat Wed Jan 24 2007 3:41:02 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb929120.cat Wed Nov 29 2006 15:21:38 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb929123.cat Wed May 16 2007 23:58:56 ..S.. 14,108 13.78 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb929338.cat Wed Dec 20 2006 3:19:54 ..S.. 11,181 10.92 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb929399.cat Mon Dec 4 2006 17:36:36 ..S.. 7,898 7.71 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb929969.cat Wed Dec 20 2006 3:09:06 ..S.. 8,847 8.64 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb930178.cat Sat Mar 17 2007 21:56:32 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb930916.cat Tue Feb 13 2007 13:05:18 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb931261.cat Tue Feb 6 2007 4:31:44 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb931768.cat Tue Feb 20 2007 19:29:00 ..S.. 24,698 24.12 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb931784.cat Thu Mar 1 2007 0:22:18 ..S.. 13,618 13.30 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb931836.cat Mon Jan 29 2007 22:25:46 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb932168.cat Fri Mar 9 2007 22:10:54 ..S.. 11,990 11.71 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb933360.cat Thu Jul 19 2007 6:25:30 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb933566.cat Tue May 22 2007 21:07:18 ..S.. 24,698 24.12 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb935839.cat Tue Apr 17 2007 0:27:28 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb935840.cat Thu Apr 26 2007 4:40:14 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb936021.cat Tue Jun 26 2007 14:21:02 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb936357.cat Tue Apr 24 2007 8:02:48 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb936782.cat Tue Jun 12 2007 12:31:32 ..S.. 10,335 10.09 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb937143.cat Wed Jul 18 2007 12:29:44 ..S.. 24,698 24.12 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb938127.cat Tue Jun 26 2007 23:30:36 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb938828.cat Wed Jun 13 2007 21:31:58 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\kb938829.cat Tue Jun 19 2007 21:50:40 ..S.. 11,284 11.02 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\mapimig.cat Wed Aug 4 2004 20:00:00 A.S.. 399,645 390.28 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\mediactr.cat Wed Aug 4 2004 20:00:00 A.S.. 31,965 31.21 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\mscomp~1.cat Mon Oct 2 2006 15:29:12 ..S.. 8,143 7.95 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\msmsgs.cat Wed Aug 4 2004 20:00:00 A.S.. 9,581 9.36 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\mstsweb.cat Wed Aug 4 2004 20:00:00 A.S.. 7,245 7.07 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\mw770.cat Wed Aug 4 2004 20:00:00 A.S.. 37,484 36.61 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\netfx.cat Wed Aug 4 2004 20:00:00 A.S.. 141,702 138.38 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\nt5.cat Wed Aug 4 2004 20:00:00 A.S.. 1,938,688 1.85 M
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\nt5iis.cat Wed Aug 4 2004 20:00:00 A.S.. 819,229 800.03 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\nt5inf.cat Wed Aug 4 2004 20:00:00 A.S.. 617,246 602.78 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\ntprint.cat Wed Aug 4 2004 20:00:00 A.S.. 1,104,400 1.05 M
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem0.cat Tue Jun 3 2003 19:02:32 ..S.. 16,011 15.63 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem1.cat Fri Feb 14 2003 0:55:10 ..S.. 8,910 8.70 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem10.cat Tue Jul 22 2003 0:28:12 ..S.. 9,166 8.95 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem11.cat Tue Jul 22 2003 0:28:16 ..S.. 9,148 8.93 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem12.cat Tue Jul 22 2003 0:28:16 ..S.. 9,160 8.95 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem13.cat Tue Jul 22 2003 0:28:18 ..S.. 9,160 8.95 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem14.cat Tue Jul 22 2003 0:27:48 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem15.cat Tue Jul 22 2003 0:27:50 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem16.cat Tue Jul 22 2003 0:27:52 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem17.cat Tue Jul 22 2003 0:27:54 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem18.cat Tue Jul 22 2003 0:27:54 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem19.cat Tue Jul 22 2003 0:27:56 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem2.cat Fri Feb 14 2003 0:55:08 ..S.. 8,495 8.29 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem20.cat Tue Jul 22 2003 0:27:58 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem21.cat Tue Jul 22 2003 0:28:00 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem22.cat Tue Jul 22 2003 0:28:02 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem23.cat Tue Jul 22 2003 0:28:04 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem24.cat Tue Jul 22 2003 0:28:06 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem25.cat Tue Jul 22 2003 0:28:08 ..S.. 9,152 8.94 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem26.cat Tue May 9 2006 11:13:16 ..S.. 15,791 15.42 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem27.cat Mon Sep 1 2003 15:25:34 ..S.. 8,095 7.90 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem28.cat Mon Sep 1 2003 15:25:36 ..S.. 7,245 7.07 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem29.cat Thu May 1 2003 13:26:34 ..S.. 7,624 7.45 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem3.cat Fri Feb 14 2003 0:55:06 ..S.. 8,495 8.29 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem30.cat Thu Aug 24 2006 8:50:18 ..S.. 8,433 8.23 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem31.cat Tue Jun 24 2003 11:44:42 ..S.. 11,346 11.08 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem32.cat Mon Apr 16 2007 22:58:14 ..S.. 41,586 40.61 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem33.cat Mon Jul 30 2007 19:36:28 ..S.. 48,256 47.13 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem4.cat Mon Jul 14 2003 8:55:18 ..S.. 10,985 10.73 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem5.cat Wed Jun 25 2003 16:26:56 ..S.. 17,613 17.20 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem6.cat Fri May 30 2003 8:27:22 ..S.. 12,590 12.29 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem8.cat Tue Jul 22 2003 0:28:10 ..S.. 35,424 34.59 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oem9.cat Tue Jul 22 2003 0:28:14 ..S.. 9,162 8.95 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\oembios.cat Wed Apr 6 2005 1:07:28 A.S.. 7,710 7.53 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\presen~1.cat Fri Oct 20 2006 21:33:38 ..S.. 7,214 7.04 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\sp2.cat Wed Aug 4 2004 20:00:00 A.S.. 1,025,000 1000.98 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\tabletpc.cat Wed Aug 4 2004 20:00:00 A.S.. 104,300 101.86 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\wic.cat Tue Oct 24 2006 12:37:00 ..S.. 9,601 9.38 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\wmerrenu.cat Wed Aug 4 2004 20:00:00 A.S.. 7,334 7.16 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\wmfdis~1.cat Thu Nov 2 2006 11:54:58 ..S.. 34,696 33.88 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\wmp11.cat Thu Nov 2 2006 23:53:28 ..S.. 27,515 26.87 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\wudf01~1.cat Thu Sep 28 2006 20:18:04 ..S.. 10,791 10.54 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\xpsepsc.cat Sun Oct 15 2006 1:22:48 ..S.. 7,426 7.25 K
C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\xpseps~1.cat Sun Oct 15 2006 4:35:48 ..S.. 7,426 7.25 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\ntuser~1.log Sat Apr 14 2007 3:00:48 A..H. 1,024 1.00 K
C:\WINDOWS\SYSTEM32\DRIVERS\UMDF\msftwd~1.wdf Thu Dec 14 2006 22:09:42 A..H. 0 0.00 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\desktop.ini Tue Dec 5 2006 10:24:42 A.SH. 62 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\desktop.ini Tue Dec 5 2006 10:24:42 A.SH. 62 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\desktop.ini Tue Dec 5 2006 10:39:24 A.SH. 160 0.16 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\壓臉的~1.zfs Tue Dec 5 2006 10:39:24 A.... 0 0.00 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\desktop.ini Tue Dec 5 2006 10:24:42 A.SH. 62 0.06 K
C:\WINDOWS\SYSTEM32\REINST~1\0000\DRIVER~1\stac97.cat Tue Jun 3 2003 19:02:32 A.S.. 16,011 15.63 K
C:\WINDOWS\SYSTEM32\REINST~1\0001\DRIVER~1\ich4usb.cat Thu Mar 27 2003 17:35:16 A.S.. 7,655 7.47 K
C:\WINDOWS\SYSTEM32\REINST~1\0002\DRIVER~1\ich4usb.cat Thu Mar 27 2003 17:35:16 A.S.. 7,655 7.47 K
C:\WINDOWS\SYSTEM32\REINST~1\0003\DRIVER~1\ich4usb.cat Thu Mar 27 2003 17:35:16 A.S.. 7,655 7.47 K
C:\WINDOWS\SYSTEM32\REINST~1\0004\DRIVER~1\ich4ide.cat Thu Mar 27 2003 17:35:16 A.S.. 7,655 7.47 K
C:\WINDOWS\SYSTEM32\REINST~1\0005\DRIVER~1\ich4core.cat Thu Mar 27 2003 17:35:16 A.S.. 7,657 7.48 K
C:\WINDOWS\SYSTEM32\REINST~1\0006\DRIVER~1\852.cat Thu Mar 27 2003 17:35:16 A.S.. 7,465 7.29 K
C:\WINDOWS\SYSTEM32\REINST~1\0007\DRIVER~1\852.cat Thu Mar 27 2003 17:35:16 A.S.. 7,465 7.29 K
C:\WINDOWS\SYSTEM32\REINST~1\0008\DRIVER~1\852.cat Thu Mar 27 2003 17:35:16 A.S.. 7,465 7.29 K
C:\WINDOWS\SYSTEM32\REINST~1\0009\DRIVER~1\isb8xx.cat Tue Jul 22 2003 0:28:14 A.S.. 9,162 8.95 K
C:\WINDOWS\SYSTEM32\REINST~1\0010\DRIVER~1\ich4core.cat Thu Mar 27 2003 17:35:16 A.S.. 7,657 7.48 K
C:\WINDOWS\SYSTEM32\REINST~1\0011\DRIVER~1\ikch8xx.cat Tue Jul 22 2003 0:28:12 A.S.. 9,166 8.95 K
C:\WINDOWS\SYSTEM32\REINST~1\0012\DRIVER~1\wa301a.cat Tue Jul 22 2003 0:28:16 A.S.. 9,160 8.95 K
C:\WINDOWS\SYSTEM32\REINST~1\0013\DRIVER~1\wa301b.cat Tue Jul 22 2003 0:28:18 A.S.. 9,160 8.95 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\desktop.ini Tue Dec 5 2006 13:55:32 ..SH. 113 0.11 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\desktop.ini Thu Sep 13 2007 21:33:50 ..SH. 67 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\desktop.ini Tue Dec 5 2006 10:41:14 A.SH. 139 0.13 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\遠端協吟.lnk Tue Dec 5 2006 10:41:14 A.... 1,599 1.56 K
C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\521997~1 Tue Dec 5 2006 10:47:40 A.SH. 388 0.38 K
C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\893e53~1 Sun Sep 2 2007 18:30:34 A.SH. 388 0.38 K
C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\ae1db7~1 Sun Jun 3 2007 20:59:42 A.SH. 388 0.38 K
C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\cdf3fe~1 Mon Mar 5 2007 19:22:08 A.SH. 388 0.38 K
C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\prefer~1 Sun Sep 2 2007 18:30:34 A.SH. 24 0.02 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\desktop.ini Tue Dec 5 2006 13:55:32 ..SH. 113 0.11 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\desktop.ini Thu Sep 13 2007 21:33:50 ..SH. 67 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\啟動\desktop.ini Tue Dec 5 2006 10:41:14 A.SH. 84 0.08 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\附屬應~1\desktop.ini Tue Dec 5 2006 10:41:14 A.SH. 462 0.45 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\附屬應~1\如灸豚理.lnk Tue Dec 5 2006 10:41:14 A.... 1,519 1.48 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\附屬應~1\姅叨提~1.lnk Tue Dec 5 2006 10:41:14 A.... 1,555 1.52 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\附屬應~1\邕事本.lnk Tue Dec 5 2006 10:41:14 A.... 1,519 1.48 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\MICROS~1\CRYPTN~1\CONTENT\b69d76~1 Fri Jan 26 2007 7:07:52 A.S.. 6,248 6.10 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\MICROS~1\CRYPTN~1\METADATA\b69d76~1 Fri Jan 26 2007 7:07:52 A.S.. 128 0.13 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\056B0HAZ\desktop.ini Thu Sep 13 2007 21:33:50 ..SH. 67 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\3OYNZ6DV\desktop.ini Thu Sep 13 2007 21:33:50 ..SH. 67 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\APAF98FQ\desktop.ini Thu Sep 13 2007 21:33:50 ..SH. 67 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\UZDQIRV6\desktop.ini Thu Sep 13 2007 21:33:50 ..SH. 67 0.06 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\附屬應~1\協助工具\desktop.ini Tue Dec 5 2006 10:41:14 A.SH. 280 0.27 K
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\「開始~1\程式集\附屬應~1\娛樂\desktop.ini Tue Dec 5 2006 10:41:14 A.SH. 84 0.08 K
________________________________________________

6,328 items found: 6,093 files (228 H/S), 235 directories (65 H/S).
Total of file sizes: 1,093,696,148 bytes 1.02 G

Administrator Account = True

--------------------End log---------------------

2) HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 03:23:14, on 2007/9/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\ThisJackHi.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptLogic Service (SLClient) - Unknown owner - C:\WINDOWS\system32\SLClient.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 5222 bytes

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:56 PM

Posted 21 September 2007 - 02:15 AM

Hi and welcome,

Sorry for delay.

If you still need assistance, please post a fresh hijackthis log here.
That Dll Compare log is normal. There are several files normally hidden and inaccessable outside of Windows itself.

Your AVG or Trend Micro reporting anything odd?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 26 September 2007 - 07:20 AM

I have fixed some of the virus by myself.
And I will post the HJT log next reply.

#4 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 26 September 2007 - 09:05 PM

My TrendMicro and AVG scan result show my PC is clean.

Here is the New DSS and HJT log:

Deckard's System Scanner v20070905.67
Run by tmpadm on 2007-09-24 21:20:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as tmpadm.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 09:20:22, on 2007/9/24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\freecell.exe
C:\Documents and Settings\tmpadm\My Documents\VoP\dss.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\tmpadm.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptLogic Service (SLClient) - Unknown owner - C:\WINDOWS\system32\SLClient.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 5354 bytes

-- Files created between 2007-08-24 and 2007-09-24 -----------------------------

2007-09-18 13:47:37 0 d-------- C:\VundoFix Backups
2007-09-18 12:28:26 0 d-------- C:\Find It NT-2K-XP
2007-09-18 12:27:53 0 d-------- C:\FindVirus
2007-09-17 13:28:46 0 d-------- C:\Program Files\Sunbelt Software
2007-09-16 11:53:01 0 dr-h----- C:\Documents and Settings\tmpadm\Recent
2007-09-16 07:21:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-16 07:21:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2007-09-18 10:46:07 0 d-------- C:\Program Files\SpywareBlaster
2007-09-14 05:58:04 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-13 21:37:55 0 d-------- C:\Program Files\RegCleaner
2007-09-13 10:31:07 2772 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-13 02:26:03 0 d-------- C:\Program Files\Trend Micro
2007-07-22 12:01:43 324990 --a------ C:\WINDOWS\system32\prfh0404.dat
2007-07-22 12:01:43 102594 --a------ C:\WINDOWS\system32\prfc0404.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 下午 08:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003/05/30 上午 12:26]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003/05/30 上午 12:14]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005/11/17 下午 07:49]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003/05/28 下午 05:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007/01/13 上午 09:46]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007/02/12 上午 09:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 下午 08:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007/08/31 下午 04:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006/12/06 下午 01:40]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004/12/14 上午 04:44:06]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006/12/5 下午 01:41:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006/09/28 上午 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006/10/19 上午 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003/06/20 上午 07:03 110592 C:\WINDOWS\system32\LgNotify.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ca10f41-8407-11db-8bc6-806d6172696f}]
AutoRun\command- D:\START.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da3c64d3-380a-11dc-8d8b-000d566d563e}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PFW.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dde681f0-96da-11db-8c2a-000d566d563e}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE




-- End of Deckard's System Scanner: finished at 2007-09-24 21:21:31 ------------

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:56 PM

Posted 27 September 2007 - 12:30 AM

Hi,

Somebody has or had an infected flash drive (usb pen drive)
This is likely how this PC got infected.
The autorun function that is enabled by default ran and fired off whatever the autorun.inf instructed it to.
I think we are just dealing with leftovers but would like to make sure.

Please download Flash_Disinfector by sUBs and save it to your desktop.

http://www.techsupportforum.com/sectools/s...Disinfector.exe

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

If you have any flash drives, plug it in before running the tool. ***Hold down the "shift" key while plugging in flash drive to by-pass the "autorun" feature.

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Your desktop will vanish for a while, and then reappear. This is normal.
* Wait until the program has finished scanning, then please exit the program

Next:

Delete the copy of dss.exe you have now and download it again to your desktop.
It needs to be on the desktop to work for next instruction.

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Please run Deckard's System Scanner again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config
Click on "Check All"

Click Scan!

When finished, it shall produce two log for you (main.txt & extra.txt)

Please post main.txt, extra.txt in your next reply.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 27 September 2007 - 07:49 AM

Hi, Blender,

This time reply is very fast! :thumbsup:

Because I am using Taiwan Character PC, to using DSS.exe from command line, I change one word from desktop to '桌面'
Start ->Run->"%userprofile%\桌面\dss.exe" /config

Here is DSS Extra.txt log:

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: Intel® Pentium® M processor 1400MHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 766.21 MiB / 371.07 MiB
Pagefile Memory (total/avail): 1875.59 MiB / 1513.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1955.38 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 11.08 GiB free.
D: is Removable (FAT)

\\.\PHYSICALDRIVE0 - IC25N030ATMR04-0 - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - 可安裝的檔案系統 - 27.95 GiB - C:

\\.\PHYSICALDRIVE1 - JetFlash TS1GJF110 USB Device - 972.69 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 979.98 MiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Sunbelt Kerio Personal Firewall v4.3.268 T (Sunbelt Kerio)
FW: Trend Micro OfficeScan Enterprise Client Firewall v7.0 (TrendFirewall) Disabled

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Kerio Firewall GUI"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\tmpadm\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TWNNB34
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\tmpadm
LOGONSERVER=\\TWNNB34
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\tmpadm\LOCALS~1\Temp
TMP=C:\DOCUME~1\tmpadm\LOCALS~1\Temp
USERDOMAIN=TWNNB34
USERNAME=tmpadm
USERPROFILE=C:\Documents and Settings\tmpadm
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

tmpadm (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Office system 相容性套件 --> MsiExec.exe /X{90120000-0020-0404-0000-0000000FF1CE}
a-squared HiJackFree 2.1 --> "C:\Program Files\a-squared HiJackFree\unins000.exe"
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 - Chinese Traditional --> MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A70000000000}
Adobe Reader Korean Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5676-5A64-7E8A45000001}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
B.I.S.S. Hosts Manager --> MsiExec.exe /I{A931C76A-8189-4485-A686-53A91658CD30}
Broadcom Gigabit Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1028
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant D480 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
CutePDF Writer 2.5 --> C:\WINDOWS\system32\uninscpw.exe C:\Program Files\
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Intel® PROSet --> MsiExec.exe /I{181934AF-3E7B-450D-804F-2B812E018ED1}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120404-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PCI 7510 CardBus Controller with SmartCard and Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{252F9FB9-FC12-4B08-ADEB-F402BA3A8D28} /l1028
Rootkit Unhooker Uninstall --> "C:\RkUnhooker\uninstall.exe"
SAS VPN Documentation --> C:\PROGRA~1\SASVPN~1\UNWISE.EXE C:\PROGRA~1\SASVPN~1\INSTALL.LOG
SigmaTel AC97 聲訊驅動程式 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x404 -nodialog -uninstall
SnagIt 8 --> MsiExec.exe /I{DA0BF7AB-88EB-4675-8FA1-531EAD938821}
Sophos Anti-Rootkit 1.3 --> C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
Spelling Dictionaries For Adobe Reader Package --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7E8A450000A7}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Sunbelt Kerio Personal Firewall --> MsiExec.exe /X{E659E0EE-10E6-49B7-8696-60F38D0EB174}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Trend Micro Wireless Protection Manager --> MsiExec.exe /I{ED94AE01-91E3-4C8C-8D91-C2F321B9F29B}
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\setup.exe" -l0x9 VpnUninstall
VPNCheck --> C:\Support\VPNCheck\UNWISE.EXE C:\Support\VPNCheck\INSTALL.LOG
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (CHT) --> MsiExec.exe /X{0B76561B-A254-44F2-B78D-E18705FBE9F0}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows Workflow Foundation ZH-CHT Language Pack --> MsiExec.exe /I{2F10F540-4126-45B5-B14C-9B8D119205E6}
Windows XP 安全性更新 (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Windows XP 安全性更新 (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931768) --> "C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP 更新 (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP 更新 (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP 更新 (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Windows XP 更新 (KB908521) --> "C:\WINDOWS\$NtUninstallKB908521$\spuninst\spuninst.exe"
Windows XP 更新 (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP 更新 (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP 更新 (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP 更新 (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP 更新 (KB916846) --> "C:\WINDOWS\$NtUninstallKB916846$\spuninst\spuninst.exe"
Windows XP 更新 (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Windows XP 更新 (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP 更新 (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP 更新 (KB925720) --> "C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Windows XP 更新 (KB925876) --> "C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Windows XP 更新 (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP 更新 (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Windows XP 更新 (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
WinPatrol 2007 Restore/Remove First --> C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe -remove
WinPatrol 2007 Step 2 --> MsiExec.exe /X{736CE9DD-F589-485B-ACFF-78C235A57066}
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type100192 / Error
Event Submitted/Written: 09/27/2007 07:02:35 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows 無法取得電腦所屬網域的網域控制站名稱。(發生意外的網路錯誤。 )。群組原則處理已中止。

Event Record #/Type100191 / Error
Event Submitted/Written: 09/27/2007 03:44:34 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows 無法取得電腦所屬網域的網域控制站名稱。(發生意外的網路錯誤。 )。群組原則處理已中止。

Event Record #/Type100190 / Error
Event Submitted/Written: 09/27/2007 01:49:03 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows 無法取得電腦所屬網域的網域控制站名稱。(發生意外的網路錯誤。 )。群組原則處理已中止。

Event Record #/Type100189 / Error
Event Submitted/Written: 09/27/2007 00:13:32 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows 無法取得電腦所屬網域的網域控制站名稱。(發生意外的網路錯誤。 )。群組原則處理已中止。

Event Record #/Type100188 / Error
Event Submitted/Written: 09/27/2007 11:55:50 AM
Event ID/Source: 5003 / TrueVector Service
Event Description:
TrueVector driver: Driver install or load failure: LoadNTDeviceDriver. Win32 error: 無法啟動服務,可能因為服務已停用,或它沒有相關的啟用裝置。



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30621 / Warning
Event Submitted/Written: 09/27/2007 08:24:52 PM
Event ID/Source: 11191 / DnsApi
Event Description:
系統以下列設定值為網路卡更新和移除指標 (PTR) 資源記錄
(RR)
失敗:


介面卡名稱 : {ECBBE00F-31A2-46B3-8FF9-0638EDA2194B}

主機名稱 : twnnb34

介面卡特定網域尾碼 : twn.sas.com

DNS 伺服器清單 :

172.26.4.3, 172.26.40.17

傳送更新到伺服器 : <?>

IP 位址 : 172.1.1.1


系統無法移除這些 PTR RR 是因為一個系統問題。
有關特定的錯誤碼資訊,請參閱以下顯示的記錄資料。

Event Record #/Type30620 / Warning
Event Submitted/Written: 09/27/2007 08:24:52 PM
Event ID/Source: 11197 / DnsApi
Event Description:
系統以下列設定值為網路卡更新和移除主機 (A) 資源記錄
(RR)
失敗:


介面卡名稱 : {ECBBE00F-31A2-46B3-8FF9-0638EDA2194B}

主機名稱 : twnnb34

主網域尾碼 : twn.sas.com

DNS 伺服器清單 :

172.26.4.3, 172.26.40.17

傳送更新到伺服器 : 172.1.1.1

IP 位址 :

172.26.4.109


更新要求失敗的原因是因為系統問題。有關
特定的錯誤碼資訊,請參閱以下顯示的記錄資料。

Event Record #/Type30618 / Warning
Event Submitted/Written: 09/27/2007 08:24:47 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type30617 / Error
Event Submitted/Written: 09/27/2007 08:20:19 PM
Event ID/Source: 29 / W32Time
Event Description:
時間提供者 NtpClient 已經設定成從某些時間來源
取得時間,不過目前沒有可存取的時間來源,
將嘗試在 15 分內連絡上一個來源。
NTPCLIENT 沒有正確的時間來源。

Event Record #/Type30616 / Warning
Event Submitted/Written: 09/27/2007 08:20:19 PM
Event ID/Source: 14 / W32Time
Event Description:
時間提供者 NtpClient 找不到可以作為時間來源的網域控制站。
NtpClient 將在 15 分鐘內重試。



-- End of Deckard's System Scanner: finished at 2007-09-27 20:27:05 ------------


And here is DSS main.txt log:
Deckard's System Scanner v20070905.67
Run by tmpadm on 2007-09-27 20:24:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2007-09-27 12:24:16 UTC - RP16 - Deckard's System Scanner Restore Point
15: 2007-09-27 10:46:58 UTC - RP15 - 系統檢查點
14: 2007-09-26 10:19:19 UTC - RP14 - 已安裝印表機驅動程式 CutePDF Writer
13: 2007-09-26 06:18:37 UTC - RP13 - 系統檢查點
12: 2007-09-25 05:18:56 UTC - RP12 - 系統檢查點


-- First Restore Point --
1: 2007-09-15 23:42:05 UTC - RP1 - 系統檢查點


Performed disk cleanup.



-- HijackThis (run as tmpadm.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:24:38, on 2007/9/27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tmpadm\桌面\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\tmpadm.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptLogic Service (SLClient) - Unknown owner - C:\WINDOWS\system32\SLClient.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 5318 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070915-100144-602 O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
backup-20070915-100144-702 O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
backup-20070915-100144-822 O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
backup-20070915-100144-997 O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
backup-20070915-100338-186 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070915-100338-275 O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
backup-20070915-100338-474 O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TM_CFW (Common Firewall Driver) - c:\program files\trend micro\officescan client\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ntrtscan (OfficeScanNT RealTime Scan) - c:\program files\trend micro\officescan client\ntrtscan.exe <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan>
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 tmlisten (OfficeScanNT Listener) - c:\program files\trend micro\officescan client\tmlisten.exe <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan>

S3 OfcPfwSvc (OfficeScanNT Personal Firewall) - c:\program files\trend micro\officescan client\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan>
S3 SLClient (ScriptLogic Service) - c:\windows\system32\slclient.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless LAN 2100 3A Mini PCI Adapter
Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25658086&REV_04\4&39A85202&0&18F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless LAN 2100 3A Mini PCI Adapter
PNP Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25658086&REV_04\4&39A85202&0&18F0
Service: w70n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 1084)
2006-10-19 09:12:20 258048 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>
2003-06-20 07:03:28 110592 --a------ C:\WINDOWS\system32\LgNotify.dll <Not Verified; Intel Corporation; LogonNotify Dynamic Link Library>

C:\WINDOWS\explorer.exe (pid 3008)
2003-02-21 04:42:22 348160 -ra------ C:\WINDOWS\system32\msvcr71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2005-09-23 02:16:14 1093632 --a------ C:\Program Files\TechSmith\SnagIt 8\mfc80.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual StudioR 2005>
2005-09-23 07:29:16 626688 --a------ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual StudioR 2005>
2005-09-23 02:16:14 45056 --a------ C:\Program Files\TechSmith\SnagIt 8\MFC80CHT.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual StudioR 2005>


-- Files created between 2007-08-27 and 2007-09-27 -----------------------------

2007-09-27 20:13:04 0 drahs---- C:\autorun.inf
2007-09-26 18:22:38 0 d-------- C:\Program Files\GPLGS
2007-09-26 18:19:21 49152 --a------ C:\WINDOWS\system32\uninscpw.exe
2007-09-26 18:19:21 225280 --a------ C:\WINDOWS\system32\cpwsave.exe <Not Verified; Acro Software Inc.; CutePDF Application>
2007-09-26 18:19:21 81920 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-09-26 18:19:14 0 d-------- C:\Program Files\Acro Software
2007-09-18 13:47:37 0 d-------- C:\VundoFix Backups
2007-09-18 12:28:26 0 d-------- C:\Find It NT-2K-XP
2007-09-18 12:27:53 0 d-------- C:\FindVirus
2007-09-17 13:28:46 0 d-------- C:\Program Files\Sunbelt Software
2007-09-16 11:53:01 0 dr-h----- C:\Documents and Settings\tmpadm\Recent
2007-09-16 07:21:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-16 07:21:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2007-09-18 10:46:07 0 d-------- C:\Program Files\SpywareBlaster
2007-09-14 05:58:04 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-13 21:37:55 0 d-------- C:\Program Files\RegCleaner
2007-09-13 10:31:07 2772 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-13 02:26:03 0 d-------- C:\Program Files\Trend Micro
2007-07-22 12:01:43 324990 --a------ C:\WINDOWS\system32\prfh0404.dat
2007-07-22 12:01:43 102594 --a------ C:\WINDOWS\system32\prfc0404.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/04 下午 08:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003/05/30 上午 12:26]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003/05/30 上午 12:14]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005/11/17 下午 07:49]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003/05/28 下午 05:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007/01/13 上午 09:46]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007/02/12 上午 09:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 下午 08:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007/08/31 下午 04:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006/12/06 下午 01:40]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004/12/14 上午 04:44:06]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006/12/5 下午 01:41:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006/09/28 上午 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006/10/19 上午 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003/06/20 上午 07:03 110592 C:\WINDOWS\system32\LgNotify.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ca10f41-8407-11db-8bc6-806d6172696f}]
AutoRun\command- D:\START.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da3c64d3-380a-11dc-8d8b-000d566d563e}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PFW.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dde681f0-96da-11db-8c2a-000d566d563e}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE




-- Hosts -----------------------------------------------------------------------

127.0.0.1 hityou.com
127.0.0.1 www.hityou.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 bis.180solutions.com
127.0.0.1 config.180solutions.com
127.0.0.1 cts.180solutions.com
127.0.0.1 downloads.180solutions.com

6621 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-09-27 20:27:05 ------------

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:56 PM

Posted 27 September 2007 - 12:14 PM

Hi,

Good job on the 桌面 :thumbsup:

Ok.. Likely going to have to do the same thing with the next app.

1. Download this file and save it to your desktop.

**Note: It is important that it is saved directly to, and run from your desktop**

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

a. Close any open browsers.

b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
You will need to disable TeaTimer and WinPatrol till we are done.

To disable SpybotSD TeaTimer:

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

WinPatrol:

Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.
WinPatrol is a little easier to contend with than TeaTimer.

Please check the characters I'm posting for "desktop". I dunno if my browser will copy/paste it properly. I have english system so it may not.

2. Click start> run> Paste in this to the run box then hit OK:

"%userprofile%\桌面\combofix.exe"

You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Let me know how system is running.

If Combofix gives you errors running it like I said... let me know before you continue.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 27 September 2007 - 08:10 PM

I closed most of the running anti-virus/anti-malware/firewall from task manager.
I don't know the password, because the TrendMirco anti-virus resident program ask me to provide password.

The new ComboFix run in a different way from my previous one. Here is the ComboFix log file:
I notice a hidden process C:\WINDOWS\system32\cmd.exe [660] 0x8303F020 in this log that I haven't seen before.


ComboFix 07-09-21.2 - "tmpadm" 2007-09-28 8:51:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.482 [GMT 8:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-27 21:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-27 20:13 <DIR> drahs---- C:\autorun.inf
2007-09-26 18:22 <DIR> d-------- C:\Program Files\GPLGS
2007-09-26 18:19 81,920 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-09-26 18:19 49,152 --a------ C:\WINDOWS\system32\uninscpw.exe
2007-09-26 18:19 225,280 --a------ C:\WINDOWS\system32\cpwsave.exe
2007-09-26 18:19 <DIR> d-------- C:\Program Files\Acro Software
2007-09-18 13:47 <DIR> d-------- C:\VundoFix Backups
2007-09-18 12:28 <DIR> d-------- C:\Find It NT-2K-XP
2007-09-18 12:27 <DIR> d-------- C:\FindVirus
2007-09-17 13:28 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-09-16 07:41 <DIR> d-------- C:\Deckard
2007-09-16 07:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-16 07:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 21:37 14858 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-09-27 20:53 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-18 10:46 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-13 21:37 --------- d-------- C:\Program Files\RegCleaner
2007-09-13 02:26 --------- d-------- C:\Program Files\Trend Micro
2007-09-08 10:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-05-30 00:26]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-30 00:14]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 22:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 22:57]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-13 09:46]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-02-12 09:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-12-06 13:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\system32\LgNotify.dll

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
S2 ntrtscan;OfficeScanNT RealTime Scan;C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
S2 tmlisten;OfficeScanNT Listener;C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 SLClient;ScriptLogic Service;C:\WINDOWS\system32\SLClient.exe
S3 w70n51;Intel® PRO/Wireless 7100 Adapter 驅動程式;C:\WINDOWS\system32\DRIVERS\w70n51.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ca10f41-8407-11db-8bc6-806d6172696f}]
AutoRun\command- D:\START.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da3c64d3-380a-11dc-8d8b-000d566d563e}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PFW.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dde681f0-96da-11db-8c2a-000d566d563e}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 08:54:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [660] 0x8303F020


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:56 PM

Posted 28 September 2007 - 01:40 PM

Hi,

Why don't you know the password for Trend Micro?
This your PC or Company PC?

Copy the following text to a new notepad file.
Save as file name CFScript.txt
As file types: All Files
Save it to your desktop. It must be on the desktop to work

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ca10f41-8407-11db-8bc6-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da3c64d3-380a-11dc-8d8b-000d566d563e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dde681f0-96da-11db-8c2a-000d566d563e}]

Once saved close running programs.
Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please.


Open Hijackthis
Click "Config"
Check both the (full) and (complete) beside "generate startuplist log" and create the log.

Post results.

Thanks :thumbsup:

Edited by Blender, 28 September 2007 - 01:42 PM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 28 September 2007 - 05:34 PM

Hi, Blender,

Yes, It's a Co. PC.

ComboFix Log as following:
ComboFix 07-09-21.2 - "tmpadm" 2007-09-29 5:57:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.511 [GMT 8:00]
Command switches used :: C:\Documents and Settings\tmpadm\桌面\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\1.tmp

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 23:41 904,048 --a------ C:\fsbl.exe
2007-09-27 21:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-27 20:13 <DIR> drahs---- C:\autorun.inf
2007-09-26 18:22 <DIR> d-------- C:\Program Files\GPLGS
2007-09-26 18:19 81,920 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-09-26 18:19 49,152 --a------ C:\WINDOWS\system32\uninscpw.exe
2007-09-26 18:19 225,280 --a------ C:\WINDOWS\system32\cpwsave.exe
2007-09-26 18:19 <DIR> d-------- C:\Program Files\Acro Software
2007-09-18 13:47 <DIR> d-------- C:\VundoFix Backups
2007-09-18 12:28 <DIR> d-------- C:\Find It NT-2K-XP
2007-09-18 12:27 <DIR> d-------- C:\FindVirus
2007-09-17 13:28 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-09-16 07:41 <DIR> d-------- C:\Deckard
2007-09-16 07:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-16 07:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 05:54 15873 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-09-27 20:53 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-18 10:46 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-13 21:37 --------- d-------- C:\Program Files\RegCleaner
2007-09-13 02:26 --------- d-------- C:\Program Files\Trend Micro
2007-09-08 10:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-28_ 85548.65 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-28 18:18:35 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 16,384 2007-09-28 18:18:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-28 18:18:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 16,384 2007-09-26 22:45:10 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 16,384 2007-09-26 22:45:10 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-26 22:45:10 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-05-30 00:26]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 22:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 22:57]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-13 09:46]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-02-12 09:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-12-06 13:40]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
S2 ntrtscan;OfficeScanNT RealTime Scan;C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
S2 tmlisten;OfficeScanNT Listener;C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\2.tmp
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 SLClient;ScriptLogic Service;C:\WINDOWS\system32\SLClient.exe
S3 w70n51;Intel® PRO/Wireless 7100 Adapter 驅動程式;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S4 UCEFDICQTZB;UCEFDICQTZB;C:\DOCUME~1\tmpadm\LOCALS~1\Temp\UCEFDICQTZB.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ca10f41-8407-11db-8bc6-806d6172696f}]
AutoRun\command- D:\START.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da3c64d3-380a-11dc-8d8b-000d566d563e}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PFW.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dde681f0-96da-11db-8c2a-000d566d563e}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 06:00:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [980] 0x836F7BC0


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-29 6:02:17
C:\ComboFix-quarantined-files.txt ... 2007-09-29 06:02
C:\ComboFix2.txt ... 2007-09-28 20:20
C:\ComboFix3.txt ... 2007-09-28 08:56
.
--- E O F ---


And HJT Startup list log:
StartupList report, 2007/9/29, 上午 06:26:22
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\ThisJackHi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\ThisJackHi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
OfficeScanNT Monitor = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
CJIMETIPSYNC = C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
PHIMETIPSYNC = C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
PRONoMgr.exe = C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
WinPatrol = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[F-Secure Online Scanner 3.1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-secure.com/ols/fscax.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5,695 bytes
Report generated in 0.080 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:56 PM

Posted 29 September 2007 - 05:44 PM

Hi,

TeaTimer is going to give us a real headache fixing this.
If it won't stay disabled.. please uninstall Spybot S & D untill we are done.

When you have done that, create the same CFScript.txt I had you do last time & repeat the same instructions.
Post the new combofix.txt along with a new hijackthis log.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 29 September 2007 - 09:20 PM

Hi, Blender,

The CFScript.txt work this time, three Reg Loading Posts were deleted from ComboFix.exe.

I notice three strange loading point:
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\2.tmp
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S4 UCEFDICQTZB;UCEFDICQTZB;C:\DOCUME~1\tmpadm\LOCALS~1\Temp\UCEFDICQTZB.exe


The UCEFDICQTZB.exe is created while running RootkitUnhooker. I uninstall it.

Here is the ComboFix Log:
ComboFix 07-09-21.2 - "tmpadm" 2007-09-30 9:47:12.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.495 [GMT 8:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-28 23:41 904,048 --a------ C:\fsbl.exe
2007-09-27 21:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-27 20:13 <DIR> drahs---- C:\autorun.inf
2007-09-26 18:22 <DIR> d-------- C:\Program Files\GPLGS
2007-09-26 18:19 81,920 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-09-26 18:19 49,152 --a------ C:\WINDOWS\system32\uninscpw.exe
2007-09-26 18:19 225,280 --a------ C:\WINDOWS\system32\cpwsave.exe
2007-09-26 18:19 <DIR> d-------- C:\Program Files\Acro Software
2007-09-18 13:47 <DIR> d-------- C:\VundoFix Backups
2007-09-18 12:28 <DIR> d-------- C:\Find It NT-2K-XP
2007-09-18 12:27 <DIR> d-------- C:\FindVirus
2007-09-17 13:28 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-09-16 07:41 <DIR> d-------- C:\Deckard
2007-09-16 07:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-16 07:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-15 22:58 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-30 09:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-29 05:54 15873 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-09-27 20:53 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-18 10:46 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-13 21:37 --------- d-------- C:\Program Files\RegCleaner
2007-09-13 02:26 --------- d-------- C:\Program Files\Trend Micro
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 14:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 21:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 21:22 977920 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-28_ 85548.65 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-30 01:43:04 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 16,384 2007-09-30 01:43:04 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-30 01:43:04 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 16,384 2007-09-26 22:45:10 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 16,384 2007-09-26 22:45:10 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-26 22:45:10 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-05-30 00:26]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003-07-14 22:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003-07-14 22:57]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-13 09:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-12-06 13:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 11:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 09:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;C:\WINDOWS\system32\drivers\wA301b.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
S2 ntrtscan;OfficeScanNT RealTime Scan;C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
S2 tmlisten;OfficeScanNT Listener;C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\2.tmp
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 SLClient;ScriptLogic Service;C:\WINDOWS\system32\SLClient.exe
S3 w70n51;Intel® PRO/Wireless 7100 Adapter 驅動程式;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S4 UCEFDICQTZB;UCEFDICQTZB;C:\DOCUME~1\tmpadm\LOCALS~1\Temp\UCEFDICQTZB.exe

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 09:50:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [3588] 0x839AE3B0


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-30 9:52:29
C:\ComboFix-quarantined-files.txt ... 2007-09-30 09:52
C:\ComboFix2.txt ... 2007-09-29 08:39
C:\ComboFix3.txt ... 2007-09-29 06:02
.
--- E O F ---


And here is the HJT startup list log:
StartupList report, 2007/9/30, 上午 10:04:41
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\ThisJackHi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\ThisJackHi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
OfficeScanNT Monitor = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
CJIMETIPSYNC = C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
PHIMETIPSYNC = C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
PRONoMgr.exe = C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[F-Secure Online Scanner 3.1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-secure.com/ols/fscax.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

#13 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 29 September 2007 - 10:56 PM

Sorry, for I miss cut & paste some line of HJT Startup List Log.

[b]Here is the full list:[b]

StartupList report, 2007/9/30, 上午 10:04:41
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\ThisJackHi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\ThisJackHi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
OfficeScanNT Monitor = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
CJIMETIPSYNC = C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
PHIMETIPSYNC = C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
PRONoMgr.exe = C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[F-Secure Online Scanner 3.1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-secure.com/ols/fscax.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\ComboFix\fprops.vbs => C:\QooBox\Quarantine\C\ComboFix\FProps.vbs.vir||x

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5,235 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:56 PM

Posted 30 September 2007 - 08:33 AM

Hi,

S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys <-- Intel network diagnostic tool
http://www.file.net/process/iqvw32.sys.html

S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\2.tmp <-- sophos antirootkit. You installed this at one time..
Sophos Anti-Rootkit 1.3 --> C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove

http://www.siteadvisor.pl/sites/sophos.com...nloads/2781971/

UCEFDICQTZB <-- most likely your Ad-Watch was not allowint this item to be deleted when you uninstalled RKUnhooker.

Since you uninstalled it you can delete the leftover driver like this:

Click start> run> type cmd and hit enter.
Type the following command exactly as you see it and hit enter:

sc delete UCEFDICQTZB

Should get success message.

No need to reboot right away as service was already disabled.

I don't particularily like that hidden cmd process.

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it to its own folder.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.

Re-enable your antivirus, re-connect to internet & post that log here

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 BuBMY

BuBMY
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 01 October 2007 - 10:30 AM

Hi, Blender,

Here is the GMER scan log:
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-01 23:25:28
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + 120 804E377C 1 Byte [ 80 ]
.text ntoskrnl.exe!_abnormal_termination + 122 804E377E 2 Bytes [ 6A, EE ]
PAGENDSM NDIS.sys!NdisMIndicateStatus F74EDA5F 6 Bytes JMP EE6A1ED0 \SystemRoot\system32\drivers\fwdrv.sys

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] WS2_32.dll!socket 71A13B91 5 Bytes JMP 001308C4
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00130838
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00130950
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[256] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\RegSrvc.exe[440] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\RegSrvc.exe[440] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\RegSrvc.exe[440] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00140720
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[988] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[988] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[988] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[988] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[988] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[988] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[1056] KERNEL32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[1056] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[1056] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[1080] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[1080] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[1080] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[1080] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[1080] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[1080] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[1080] WININET.dll!InternetOpenW 7668AEFD 5 Bytes JMP 00070DB0
.text C:\WINDOWS\system32\winlogon.exe[1080] WININET.dll!InternetConnectA 766930E3 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\winlogon.exe[1080] WININET.dll!InternetOpenA 766958DA 5 Bytes JMP 00070D24
.text C:\WINDOWS\system32\winlogon.exe[1080] WININET.dll!InternetOpenUrlA 76695B8D 5 Bytes JMP 00070E3C
.text C:\WINDOWS\system32\winlogon.exe[1080] WININET.dll!InternetConnectW 7669EE28 5 Bytes JMP 00070FE0
.text C:\WINDOWS\system32\winlogon.exe[1080] WININET.dll!InternetOpenUrlW 766A5B7A 5 Bytes JMP 00070EC8
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[1124] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\savedump.exe[1136] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\savedump.exe[1136] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\savedump.exe[1136] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[1144] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[1144] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[1144] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1144] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[1144] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[1144] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1468] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1468] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1468] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1468] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1468] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1468] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1468] WININET.dll!InternetOpenW 7668AEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1468] WININET.dll!InternetConnectA 766930E3 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1468] WININET.dll!InternetOpenA 766958DA 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1468] WININET.dll!InternetOpenUrlA 76695B8D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1468] WININET.dll!InternetConnectW 7669EE28 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1468] WININET.dll!InternetOpenUrlW 766A5B7A 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\S24EvMon.exe[1536] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\S24EvMon.exe[1536] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\S24EvMon.exe[1536] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1672] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1672] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1672] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1672] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1672] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1736] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1736] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1736] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1736] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1736] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1736] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenW 7668AEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetConnectA 766930E3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenA 766958DA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenUrlA 76695B8D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetConnectW 7669EE28 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1736] WININET.dll!InternetOpenUrlW 766A5B7A 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00140720
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] WS2_32.dll!socket 71A13B91 5 Bytes JMP 001408C4
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00140838
.text C:\WINDOWS\system32\ZCfgSvc.exe[1924] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00140950
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\SCardSvr.exe[1940] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\SCardSvr.exe[1940] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\SCardSvr.exe[1940] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\1XConfig.exe[2268] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\1XConfig.exe[2268] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\1XConfig.exe[2268] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\1XConfig.exe[2268] WS2_32.dll!socket 71A13B91 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\1XConfig.exe[2268] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\1XConfig.exe[2268] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00130950
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[2284] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[2284] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[2284] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[2284] WININET.dll!InternetOpenW 7668AEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[2284] WININET.dll!InternetConnectA 766930E3 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[2284] WININET.dll!InternetOpenA 766958DA 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[2284] WININET.dll!InternetOpenUrlA 76695B8D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[2284] WININET.dll!InternetConnectW 7669EE28 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[2284] WININET.dll!InternetOpenUrlW 766A5B7A 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[2284] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[2284] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[2284] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\wuauclt.exe[2416] WS2_32.dll!socket 71A13B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\wuauclt.exe[2416] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\wuauclt.exe[2416] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00080950
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00140608
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001407AC
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00140720
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] WS2_32.dll!socket 71A13B91 5 Bytes JMP 001408C4
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] WS2_32.dll!bind 71A13E00 5 Bytes JMP 00140838
.text C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] WS2_32.dll!connect 71A1406A 5 Bytes JMP 00140950
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] WININET.dll!InternetOpenW 7668AEFD 5 Bytes JMP 00130DB0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] WININET.dll!InternetConnectA 766930E3 5 Bytes JMP 00130F54
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] WININET.dll!InternetOpenA 766958DA 5 Bytes JMP 00130D24
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] WININET.dll!InternetOpenUrlA 76695B8D 5 Bytes JMP 00130E3C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] WININET.dll!InternetConnectW 7669EE28 5 Bytes JMP 00130FE0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2588] WININET.dll!InternetOpenUrlW 766A5B7A 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[2628] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[2628] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[2628] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00080720
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2712] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00130720
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] kernel32.dll!SetThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] USER32.dll!SetWindowsHookExW 77D2DDB5 5 Bytes JMP 001307AC
.text C:\Documents and Settings\tmpadm\桌面\gmer.exe[3148] USER32.dll!SetWindowsHookExA 77D311D1 5 Bytes JMP 00130720

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE6A1CE0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE6A1D00] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE6A1D90] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE6A1DC0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE6A1D90] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE6A1D00] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE6A1CE0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClCloseCall] [EE6A2680] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClMakeCall] [EE6A2580] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoDeleteVc] [EE6A24C0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoCreateVc] [EE6A2360] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [EE6A1CE0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [EE6A1D00] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClOpenAddressFamily] [EE6A2BB0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClCloseAddressFamily] [EE6A2E70] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoSendPackets] [EE6A2210] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [EE6A1DC0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [EE6A1D90] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [EE6A1D00] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [EE6A1D90] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [EE6A1CE0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [EE6A1DC0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE6A1D90] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE6A1DC0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE6A1CE0] \SystemRoot\system32\drivers\fwdrv.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE6A1D00] \SystemRoot\system32\drivers\fwdrv.sys

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!ControlService] [58620680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\RegSrvc.exe[440] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!ControlService] [58620680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\WS2HELP.dll [ADVAPI32.dll!OpenServiceA] [5862063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!ControlService] [58620680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!OpenServiceA] [5862063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!ControlService] [58620680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[1924] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!ControlService] [58620680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW] [5862065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\WS2HELP.dll [ADVAPI32.dll!OpenServiceA] [5862063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe[2580] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5C2E7774] C:\WINDOWS\system32\ShimEng.dll

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EE5776C0] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [EE57702E] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [EE5775EE] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [EE577F84] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [EE577006] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [EE571B8A] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [EE571B8A] TmPreFlt.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EE6895B0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EE6895B0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EE6895B0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EE6895B0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [EE6894A0] fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [804FC8DE] ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [804FC8DE] ntoskrnl.exe

---- EOF - GMER 1.0.13 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users