Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Antivirus 2008 Destroying My Pc!


  • Please log in to reply
31 replies to this topic

#1 Jason B

Jason B

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 August 2008 - 02:04 PM

I don't know how this happened, but I have the xp antivirus 2008 virus. I did a lot of internet searching, then found this forum.

So far I have run the malwarebytes program, and rebooted. This seemed to get rid of the virus, but I still can't:

1) Cntrl/alt/delete (gives administrator error when I try it)
regedit (gives admin error when I try to run it)

2) Upon reboot, I get this error from windows:

"Windows cannot open this file" File: wpx121.cpx

3) All my system restore points seem to be gone or are missing??? Will these come back when this is fixed

_______________________________________________________________________________
Here is my hijackthis log. I really need help asap, as I can't get any work done with this issue.


Scan saved at 2:56:20 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\HP\KBD\KBD.EXE
C:\OLD_D\Program Files\aim5_9\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\OLD_D\Program Files\Snagit\SnagIt32.exe
C:\OLD_D\Program Files\Snagit\TSCHelp.exe
C:\OLD_D\Program Files\Snagit\SnagPriv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\OLD_D\Program Files\dap\DAP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.135.158.106:80:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\system32\wpx121.cpx"
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\mq30whq9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://c%3A%5COLD_D%5CProgram%20Files%5Cntscape7%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\mq30whq9.slt\prefs.js)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\OLD_D\Program Files\Snagit\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\OLD_D\PROGRA~1\dap\dapiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\OLD_D\Program Files\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\OLD_D\Program Files\Snagit\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\OLD_D\Program Files\aim5_9\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\OLD_D\Program Files\Snagit\SnagIt32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\OLD_D\PROGRA~1\dap\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O15 - Trusted Zone: http://www.burtmanindustries.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7508 bytes

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 06 August 2008 - 02:24 PM

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 August 2008 - 02:57 PM

Ok, ran combo fix, it just finished and did reboot, but I got 4-5 errors while it was doing this, one was, "registry editor diabled by administrator", "notepad .dll missing", or something, and I can't remember the rest. But here is the info you asked for.

combofix log:

ComboFix 08-08-06.01 - Owner 2008-08-06 15:27:16.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.572 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\54809\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\E7WKAKN5\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\E7WKAKN5\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\Memman.vxd
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\nqtss.tmp
C:\WINDOWS\system32\shell31.dll
C:\WINDOWS\system32\skinboxer43.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\wiaservb.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 13:46 . 2008-08-06 13:46 222,207 -r-hs---- C:\rddawm.pif
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 12:44 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 12:44 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 12:00 . 2008-08-06 12:00 7,680 --a------ C:\WINDOWS\system32\wpx121.cpx
2008-08-01 01:05 . 2008-08-01 01:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-08-01 01:03 . 2008-08-01 01:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-26 11:39 . 2008-08-01 08:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 18:09 . 2008-07-13 18:09 244 --ah----- C:\sqmnoopt00.sqm
2008-07-13 18:09 . 2008-07-13 18:09 232 --ah----- C:\sqmdata00.sqm
2008-07-10 00:25 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 17:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-06 08:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-01 15:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 17:22 --------- d-----w C:\Program Files\7-Zip
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 17:50 --------- d-----w C:\Program Files\RAR Password Cracker
2008-06-06 17:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\ESTsoft
2008-06-06 17:07 --------- d-----w C:\Program Files\ESTsoft
2007-05-23 02:28 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-23 02:28 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-05-23 01:44 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-05-23 01:44 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-05-23 01:44 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-05-23 01:44 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-05-23 01:44 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-05-23 01:44 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-05-23 01:44 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-02-19 01:09 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-02-19 01:09 161,336 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-05-05 07:42 1 ----a-w C:\Documents and Settings\Owner\SI.bin
2004-09-01 17:51 220 --sha-w C:\WINDOWS\dwin.sys
2005-01-08 02:20 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 143412]
SnagIt 8.lnk - C:\OLD_D\Program Files\Snagit\SnagIt32.exe [2007-05-01 12:11:48 6469192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.UYVY"= C:\WINDOWS\system32\msyuv.dll
"VIDC.YUY2"= ATIVYUY.DLL
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bandook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Comm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-04-27 18:18 135168 C:\OLD_D\Program Files\aim5_9\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-11-04 19:13 69707 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2004-01-09 05:34 32768 c:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
--a------ 2002-03-19 17:30 45632 C:\WINDOWS\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1763840 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5748080 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 21:34 5492736 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-21 04:49 487424 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2003-11-03 20:50 221184 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 03:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSI Loader]
--a------ 2001-02-20 13:00 102400 C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 202128 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2004-02-27 10:05 135168 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
--a------ 2007-08-01 09:28 1638400 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-20 02:48 263456 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--a------ 2005-04-28 17:59 102400 C:\OLD_D\Program Files\ulead_movie_factory\Ulead Quick-Drop 1.0\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 12:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
--a------ 2004-12-23 17:27 81920 C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--------- 2003-07-14 10:52 110592 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-08-17 19:39 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 21:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SpyHunter"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\OLD_D\\Program Files\\aim5_9\\aim.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\OLD_D\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\OLD_D\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\wpx121.cpx"=
"C:\\WINDOWS\\system32\\ctfmon.exe"=
"C:\\WINDOWS\\LTMSG.exe"=
"C:\\Program Files\\Common Files\\Smith Micro Shared\\FAX\\SMLoader.exe"=

R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\nmmppi.sys []
S3 ATICDSDr;ATICDSDr;C:\Program Files\ATI Technologies\ATI Control Panel\atiicdxx.sys [2002-11-06 14:48]
S3 CPQDAP01;Compaq PA-1 Personal Audio Player USB Driver;C:\WINDOWS\system32\Drivers\CPQDAP01.sys [2001-08-17 14:24]
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{430F3B19-E51E-44B8-A369-7E9E7D1714CA}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 14:58]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
MSConfigStartUp-wcmdmgr - C:\WINDOWS\wt\updater\wcmdmgrl.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e71w2wwp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 15:43:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\63D19D6113FC30E3C679588ACF39A03F 2074 bytes
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\6505FF768A86233FDDA34F21019EA5D6 3889 bytes
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\8A25D116C0A00F8E03BC97CBA255DA03 1999 bytes
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\052507D5112E57966239093F7E0E5C30
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B000019CC
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B000019F7
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B00001AC7
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B00001F1D
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B00001F33
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B000020ED
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B0000250D
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B000028B5 1686 bytes
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\2B00002F8A
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\B67A3BC514D8B1F025A46743667DA943 5696 bytes
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\B6B19C3BBF550D78B0E46BD228EAAE0E
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\3328A322FB95FAD38A8D30B8A0778CC7
C:\Documents and Settings\Owner\Application Data\Aim\hefnzddv\bartcache\1\C0F569D5902B1BC57E125558FD402CC8

scan completed successfully
hidden files: 17

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Microsoft Office\Office\1033\MSOFFICE.EXE
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-08-06 15:52:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 19:52:23
ComboFix2.txt 2008-01-06 20:13:44
ComboFix3.txt 2007-10-23 16:32:31
ComboFix4.txt 2007-10-21 21:24:33
ComboFix5.txt 2008-08-06 19:26:28

Pre-Run: 13,220,077,568 bytes free
Post-Run: 13,202,362,368 bytes free

289 --- E O F --- 2008-07-11 07:36:52



________________________________________________________________________________
New hijack this log
________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:38 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.135.158.106:80:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\mq30whq9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://c%3A%5COLD_D%5CProgram%20Files%5Cntscape7%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\mq30whq9.slt\prefs.js)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\OLD_D\Program Files\Snagit\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\OLD_D\PROGRA~1\dap\dapiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\OLD_D\Program Files\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\OLD_D\Program Files\Snagit\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\OLD_D\Program Files\aim5_9\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\OLD_D\Program Files\Snagit\SnagIt32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\OLD_D\PROGRA~1\dap\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O15 - Trusted Zone: http://www.burtmanindustries.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7104 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 06 August 2008 - 03:02 PM

Good work, let's continue.. :thumbsup:

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

File::
C:\WINDOWS\system32\drivers\nmmppi.sys
C:\rddawm.pif
C:\WINDOWS\system32\wpx121.cpx

Driver:
dac970nt

Regedit::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\wpx121.cpx"=-

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs:

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot once more and post a new Hijackthis log..

#5 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 August 2008 - 04:14 PM

Ok, I disabled teatime, and reset it with the bat.

Then pulled the cfscript into combo fix. It too a long time, and after it rebooted, it took a long time to generate the log. While I was waiting for it to finish the log below, I got this popup like 8 times and kept hitting ok...

Attached File  reg.jpg   37.08KB   25 downloads

The log finally came up:

LOG:

ComboFix 08-08-06.01 - Owner 2008-08-06 16:19:59.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.593 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\54809\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\54809\CFScript.txt
* Created a new restore point

FILE ::
C:\rddawm.pif
C:\WINDOWS\system32\drivers\nmmppi.sys
C:\WINDOWS\system32\wpx121.cpx
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\rddawm.pif
C:\WINDOWS\system32\wpx121.cpx

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 16:33 . 2008-08-06 16:33 171,519 -r-hs---- C:\soqht.pif
2008-08-06 16:33 . 2002-08-29 08:00 293 --------- C:\autorun.inf
2008-08-06 16:09 . 2008-08-06 16:09 171,519 -r-hs---- C:\fylmks.exe
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 12:44 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 12:44 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 01:05 . 2008-08-01 01:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-08-01 01:03 . 2008-08-01 01:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-26 11:39 . 2008-08-01 08:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 18:09 . 2008-07-13 18:09 244 --ah----- C:\sqmnoopt00.sqm
2008-07-13 18:09 . 2008-07-13 18:09 232 --ah----- C:\sqmdata00.sqm
2008-07-10 00:25 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 17:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-06 08:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-01 15:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 17:22 --------- d-----w C:\Program Files\7-Zip
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 17:50 --------- d-----w C:\Program Files\RAR Password Cracker
2008-06-06 17:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\ESTsoft
2008-06-06 17:07 --------- d-----w C:\Program Files\ESTsoft
2007-05-23 02:28 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-23 02:28 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-05-23 01:44 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-05-23 01:44 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-05-23 01:44 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-05-23 01:44 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-05-23 01:44 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-05-23 01:44 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-05-23 01:44 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-02-19 01:09 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-02-19 01:09 161,336 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-05-05 07:42 1 ----a-w C:\Documents and Settings\Owner\SI.bin
2004-09-01 17:51 220 --sha-w C:\WINDOWS\dwin.sys
2005-01-08 02:20 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 143412]
SnagIt 8.lnk - C:\OLD_D\Program Files\Snagit\SnagIt32.exe [2007-05-01 12:11:48 6469192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.UYVY"= C:\WINDOWS\system32\msyuv.dll
"VIDC.YUY2"= ATIVYUY.DLL
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bandook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Comm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-04-27 18:18 135168 C:\OLD_D\Program Files\aim5_9\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-11-04 19:13 69707 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2004-01-09 05:34 32768 c:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
--a------ 2002-03-19 17:30 45632 C:\WINDOWS\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1763840 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5748080 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 21:34 5492736 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-21 04:49 487424 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2003-11-03 20:50 221184 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 03:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSI Loader]
--a------ 2001-02-20 13:00 102400 C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 202128 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2004-02-27 10:05 135168 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
--a------ 2007-08-01 09:28 1638400 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-20 02:48 263456 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--a------ 2005-04-28 17:59 102400 C:\OLD_D\Program Files\ulead_movie_factory\Ulead Quick-Drop 1.0\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 12:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
--a------ 2004-12-23 17:27 81920 C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--------- 2003-07-14 10:52 110592 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-08-17 19:39 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 21:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SpyHunter"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\OLD_D\\Program Files\\aim5_9\\aim.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\OLD_D\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\OLD_D\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\ctfmon.exe"=
"C:\\WINDOWS\\LTMSG.exe"=
"C:\\Program Files\\Common Files\\Smith Micro Shared\\FAX\\SMLoader.exe"=
"C:\\WINDOWS\\system32\\CF9602.exe"=

R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\nmmppi.sys []
S3 ATICDSDr;ATICDSDr;C:\Program Files\ATI Technologies\ATI Control Panel\atiicdxx.sys [2002-11-06 14:48]
S3 CPQDAP01;Compaq PA-1 Personal Audio Player USB Driver;C:\WINDOWS\system32\Drivers\CPQDAP01.sys [2001-08-17 14:24]
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{430F3B19-E51E-44B8-A369-7E9E7D1714CA}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 14:58]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 16:33:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Microsoft Office\Office\1033\MSOFFICE.EXE
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\OLD_D\Program Files\Snagit\TscHelp.exe
C:\OLD_D\Program Files\Snagit\SnagPriv.exe
.
**************************************************************************
.
Completion time: 2008-08-06 16:49:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 20:48:56
ComboFix2.txt 2008-08-06 19:52:29
ComboFix3.txt 2008-01-06 20:13:44
ComboFix4.txt 2007-10-23 16:32:31
ComboFix5.txt 2008-08-06 20:18:39

Pre-Run: 15,469,289,472 bytes free
Post-Run: 15,182,921,728 bytes free

257 --- E O F --- 2008-07-11 07:36:52


Now, I ran Hijack this, and had to put 5 checks, next to the items you listed again, Did that, then rebooted, and here is the lastest hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:09 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\OLD_D\Program Files\Snagit\SnagIt32.exe
C:\OLD_D\Program Files\Snagit\TSCHelp.exe
C:\OLD_D\Program Files\Snagit\SnagPriv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.135.158.106:80:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\mq30whq9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://c%3A%5COLD_D%5CProgram%20Files%5Cntscape7%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\mq30whq9.slt\prefs.js)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\OLD_D\Program Files\Snagit\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\OLD_D\PROGRA~1\dap\dapiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\OLD_D\Program Files\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\OLD_D\Program Files\Snagit\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe /PRNDRV
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\OLD_D\Program Files\aim5_9\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\OLD_D\Program Files\Snagit\SnagIt32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\OLD_D\PROGRA~1\dap\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O15 - Trusted Zone: http://www.burtmanindustries.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6829 bytes

_____________________

The computer is still running very slow, like right after it got infected earlier today... Hoping you still have suggestions? Thanks for all the fast replies.

UPDATE, also, I still can type regedit, or press contrl/alt/delete without getting the error about administator not allowing.

Edited by Jason B, 06 August 2008 - 04:48 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 06 August 2008 - 05:54 PM

Ok good work, we need to run a couple more scans before we continue..

Download GMER from: http://www.gmer.net/
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation finishes, leave both 'Update' and 'Launch' checked. Click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here.

On the Scanner tab, ensure the "Perform Quick Scan" option is selected, then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
When the scan finishes, a box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

#7 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 August 2008 - 07:04 PM

GMER:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-06 19:43:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 86D30200 ZwConnectPort

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + C9 804E2725 3 Bytes [ 02, D3, 86 ]
? C:\WINDOWS\system32\drivers\nmmppi.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + FFF76630 757319E9 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + FFF76639 757319F2 14 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + FFF7664B 75731A04 43 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + FFF7667A 75731A33 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + FFF76693 75731A4C 25 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeHeap + 8 7573308D 24 Bytes [ 00, 09, 00, 0A, 00, 0B, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeHeap + 21 757330A6 43 Bytes [ 15, 00, 16, 00, 17, 00, 18, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeapZero + 1C 757330D2 23 Bytes [ 2B, 00, 2C, 00, 2D, 00, 2E, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeapZero + 34 757330EA 19 Bytes [ 37, 00, 38, 00, 39, 00, 3A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeapZero + 48 757330FE 15 Bytes [ 41, 00, 42, 00, 43, 00, 44, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeapZero + 58 7573310E 1 Byte [ 49 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeapZero + 5A 75733110 5 Bytes [ 4A, 00, 4B, 00, 4C ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarClose + E 757374B2 19 Bytes [ 29, 00, 0C, 00, 01, 00, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarClose + 22 757374C6 61 Bytes [ 00, 00, 00, 00, FF, FF, 03, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarClose + 60 75737504 19 Bytes [ 27, 00, 14, 00, 01, 00, 4B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarClose + 74 75737518 37 Bytes [ 12, 00, 4C, FF, 5B, 08, 5C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarClose + 9A 7573753E 19 Bytes [ 02, 00, 01, 00, 02, 5B, 16, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInformationPolicy + 40 75738829 10 Bytes [ 85, C0, F3, A4, 74, 0B, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInformationPolicy + 4B 75738834 16 Bytes [ 8B, 4D, DC, 89, 48, 04, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInformationPolicy + 5C 75738845 71 Bytes [ 50, 8D, 45, D8, 50, 53, E8, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInformationPolicy + A4 7573888D 96 Bytes [ 55, 8B, EC, 83, EC, 10, 53, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInformationPolicy + 105 757388EE 49 Bytes CALL 75738913 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIImpersonateClient + 1A 7573957B 73 Bytes [ DB, 0F, 86, F9, 01, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIImpersonateClient + 65 757395C6 77 Bytes [ A0, 86, 73, 75, 90, 90, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIImpersonateClient + B4 75739615 73 Bytes [ 6A, 01, 56, FF, 15, E0, 15, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIImpersonateClient + FE 7573965F 8 Bytes [ 8B, D8, 85, DB, 0F, 84, C4, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIImpersonateClient + 108 75739669 18 Bytes [ C6, 45, FE, 01, 8B, 45, F0, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeValue + 4A 75739DFD 59 Bytes CALL DD739E02
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeValue + 86 75739E39 3 Bytes [ 68, 00, 01 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeValue + 8A 75739E3D 40 Bytes CALL 757340B5 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeValue + B3 75739E66 74 Bytes [ FF, 15, 6C, 16, 73, 75, 3B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeValue + FE 75739EB1 77 Bytes [ F8, 03, 0F, 8F, 67, 02, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids2 + 26 7573B9AA 12 Bytes [ 5D, 10, 89, 46, 08, 7C, 14, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids2 + 33 7573B9B7 4 Bytes CALL 7573A9BE C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids2 + 38 7573B9BC 56 Bytes [ FF, 85, C0, 0F, 84, C2, 99, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids2 + 71 7573B9F5 14 Bytes [ 00, 0F, 85, 36, 5A, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids2 + 80 7573BA04 24 Bytes [ 40, 0F, 85, AE, 7D, 01, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetCallInfo + 1A 7573BABB 30 Bytes [ 0F, 8C, F8, 98, 02, 00, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetCallInfo + 39 7573BADA 24 Bytes [ 00, A1, 58, F1, 7C, 75, 53, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetCallInfo + 53 7573BAF4 9 Bytes [ FF, 8B, 45, 14, 6A, 23, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetCallInfo + 5E 7573BAFF 7 Bytes [ FF, 59, 33, C0, 8D, BD, 70 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetCallInfo + 67 7573BB08 13 Bytes [ FF, F3, AB, 33, D2, 89, B5, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterPolicyChangeNotificationCallback + 2 7574050D 99 Bytes [ 15, 8C, 13, 73, 75, FE, 43, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterPolicyChangeNotificationCallback + 66 75740571 218 Bytes [ FF, 02, 00, 66, 89, B5, 68, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterPolicyChangeNotificationCallback + 141 7574064C 1 Byte [ 55 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterPolicyChangeNotificationCallback + 143 7574064E 5 Bytes [ EC, 51, 51, 53, 56 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterPolicyChangeNotificationCallback + 149 75740654 24 Bytes [ 75, 08, 33, DB, 89, 5D, FC, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids + 9 75740AE0 6 Bytes [ C1, C1, E9, 02, 66, 89 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids + 10 75740AE7 34 Bytes [ 30, F3, A5, 8B, C8, 83, E1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids + 33 75740B0A 30 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids + 52 75740B29 33 Bytes [ 45, 08, 8D, 7E, 08, C7, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupSids + 74 75740B4B 17 Bytes [ FF, 84, C0, 0F, 84, 8D, 01, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_TRANSLATED_NAMES + 11 75740BF8 66 Bytes JMP 76F22A3D C:\WINDOWS\system32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_TRANSLATED_NAMES + 54 75740C3B 3 Bytes [ 13, 73, 75 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_TRANSLATED_NAMES + 58 75740C3F 37 Bytes [ 7D, F8, 83, 65, FC, 00, 83, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST + 10 75740C65 61 Bytes [ 45, FC, 8B, 45, FC, 83, C6, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST + 4E 75740CA3 5 Bytes [ 37, E8, 60, F9, FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST + 54 75740CA9 63 Bytes [ 88, 45, 0F, 8D, 45, FC, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST + 94 75740CE9 41 Bytes [ 45, 94, 3B, C1, 0F, 85, 70, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_REFERENCED_DOMAIN_LIST + BE 75740D13 14 Bytes [ A8, 01, 0F, 85, 5D, FB, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenAccount + C4 757422F8 95 Bytes CALL 75742D7C C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenAccount + 124 75742358 18 Bytes [ 00, 00, 33, C9, 3B, C1, 0F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenAccount + 137 7574236B 51 Bytes [ 45, 0C, 66, 89, 54, 06, FE, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenAccount + 16B 7574239F 78 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenAccount + 1BA 757423EE 20 Bytes [ FF, 15, A0, 15, 73, 75, 84, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_POLICY_INFORMATION + D 757424AC 16 Bytes [ 27, 8B, 35, A4, 15, 73, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_POLICY_INFORMATION + 1E 757424BD 64 Bytes [ D6, 57, FF, 75, 14, FF, D6, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_POLICY_INFORMATION + 5F 757424FE 11 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_POLICY_INFORMATION + 6B 7574250A 122 Bytes [ 45, 08, 53, 33, DB, 3B, C3, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_POLICY_INFORMATION + E6 75742585 91 Bytes [ 08, FF, 15, A0, 15, 73, 75, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicy + 18 75742718 10 Bytes [ 75, 1C, FF, 75, 14, FF, 36, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicy + 23 75742723 10 Bytes CALL 757427AC C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicy + 2E 7574272E 29 Bytes [ 0F, 8C, DF, 96, 02, 00, 83, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicy + 4C 7574274C 39 Bytes CALL 75742951 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicy + 74 75742774 46 Bytes [ 0F, 85, 2B, 96, 02, 00, 85, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapAuOpenSam + D 75743006 3 Bytes [ 86, 85, 00 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapAuOpenSam + 12 7574300B 66 Bytes [ 8B, 75, 14, 8B, 5D, 10, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapAuOpenSam + 55 7574304E 13 Bytes [ 56, FF, 75, 18, FF, D3, 84, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapAuOpenSam + 63 7574305C 49 Bytes [ 8B, 06, 8B, 4D, F0, 8B, 55, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapAuOpenSam + 95 7574308E 39 Bytes [ 33, FF, 39, 7D, FC, 0F, 8C, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetLogonGuid + 14 757469C1 75 Bytes CALL 1E1FF4D6
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetLogonGuid + 60 75746A0D 52 Bytes [ 45, 08, 33, DB, 8B, 55, 0C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetLogonGuid + 95 75746A42 9 Bytes [ AB, A8, 62, 74, 75, 33, F5, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetLogonGuid + 9F 75746A4C 17 Bytes JMP A8A98B10
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetLogonGuid + B1 75746A5E 94 Bytes [ 00, 00, 00, 81, E2, FF, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditLogonUsingExplicitCreds + 1 75746ABD 12 Bytes [ AB, A8, 62, 74, 75, 33, FD, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditLogonUsingExplicitCreds + E 75746ACA 85 Bytes [ A9, A8, 64, 74, 75, 33, FD, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditLogonUsingExplicitCreds + 64 75746B20 10 Bytes [ 8B, AB, A8, 61, 74, 75, 8A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditLogonUsingExplicitCreds + 6F 75746B2B 12 Bytes [ A9, A8, 63, 74, 75, 33, F5, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditLogonUsingExplicitCreds + 7C 75746B38 24 Bytes [ AB, A8, 62, 74, 75, 33, F5, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditAccountLogonEx + F 7574BA5F 190 Bytes [ 00, 8B, CE, 8B, 75, F4, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditAccountLogonEx + CE 7574BB1E 2 Bytes [ 4B, 70 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditAccountLogonEx + D1 7574BB21 81 Bytes [ 55, 0C, 8B, 75, 08, 89, 4A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditAccountLogonEx + 123 7574BB73 22 Bytes [ 15, 70, 13, 73, 75, 39, 5D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditAccountLogonEx + 13A 7574BB8A 194 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenSecret + 1 7574BE6C 171 Bytes [ 4D, 08, 3B, CE, 74, 50, 3B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenSecret + AD 7574BF18 69 Bytes [ 8D, F0, FD, FF, FF, 89, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenSecret + F3 7574BF5E 8 Bytes [ 74, 1F, FF, 75, 18, FF, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenSecret + FC 7574BF67 110 Bytes [ B5, F0, FD, FF, FF, FF, B5, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenSecret + 16B 7574BFD6 20 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_CR_CIPHER_VALUE + 2 7574C3B4 99 Bytes [ 50, C7, 85, 68, FF, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_CR_CIPHER_VALUE + 67 7574C419 19 Bytes [ A1, 58, F1, 7C, 75, 57, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_CR_CIPHER_VALUE + 7B 7574C42D 86 Bytes [ F3, AB, 8D, 85, 68, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecret + 11 7574C484 121 Bytes CALL 757340B5 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecret + 8B 7574C4FE 10 Bytes [ 7C, 75, FF, 75, 10, 33, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecret + 96 7574C509 27 Bytes [ D3, 84, C0, 0F, 84, 89, 86, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecret + B2 7574C525 154 Bytes [ 3B, C6, 89, 45, DC, 0F, 84, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecret + 14E 7574C5C1 64 Bytes [ FF, 15, A0, 15, 73, 75, 84, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterNotification + 2 7574E490 74 Bytes [ 75, C4, FF, 75, 08, FF, 57, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterNotification + 4D 7574E4DB 27 Bytes [ 18, FF, FF, FF, A9, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterNotification + 69 7574E4F7 90 Bytes [ 8B, 45, D0, 89, 45, AC, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterNotification + C4 7574E552 11 Bytes [ 0F, 85, AA, 98, 01, 00, 80, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIRegisterNotification + D0 7574E55E 150 Bytes [ 01, 99, 01, 00, 33, FF, 39, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIWriteAuditEvent + 2 75750D77 37 Bytes [ 89, 9D, E4, FE, FF, FF, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIWriteAuditEvent + 28 75750D9D 41 Bytes [ 00, 00, 89, 9D, B8, FE, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIWriteAuditEvent + 53 75750DC8 26 Bytes [ FF, 66, 89, 9D, FC, FE, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIWriteAuditEvent + 6E 75750DE3 22 Bytes [ 0F, 84, 95, D8, 01, 00, 56, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIWriteAuditEvent + 85 75750DFA 42 Bytes CALL 757503B5 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryInformationPolicyTrusted + 2 75751B11 13 Bytes [ 15, BC, 18, 73, 75, 8B, F8, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryInformationPolicyTrusted + 11 75751B20 4 Bytes [ 8D, 45, BC, 50 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryInformationPolicyTrusted + 17 75751B26 1 Byte [ B0 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryInformationPolicyTrusted + 19 75751B28 4 Bytes [ 15, AC, 18, 73 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryInformationPolicyTrusted + 1E 75751B2D 47 Bytes [ 8B, F8, 39, 5D, B0, 74, 0A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsDebugInitialize + 19 75751B5D 8 Bytes [ 00, 00, 33, C0, 8D, BD, 70, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsDebugInitialize + 22 75751B66 67 Bytes [ FF, AB, AB, AB, AB, 33, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISafeMode + 19 75751BAB 91 Bytes [ FC, FF, 75, 20, FF, 75, 98, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIOpenPolicyTrusted + 3B 75751C07 2 Bytes [ 90, 2F ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIOpenPolicyTrusted + 3E 75751C0A 9 Bytes [ 00, 00, 50, 00, 72, 00, 6F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIOpenPolicyTrusted + 48 75751C14 7 Bytes [ 65, 00, 63, 00, 74, 00, 65 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIOpenPolicyTrusted + 50 75751C1C 22 Bytes [ 64, 00, 53, 00, 74, 00, 6F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIOpenPolicyTrusted + 67 75751C33 108 Bytes [ FF, D4, 0B, 75, 75, E7, 0B, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditNotifyPackageLoad + 38 75751E6D 27 Bytes [ 6A, 0C, FF, 15, B4, 13, 73, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditNotifyPackageLoad + 54 75751E89 65 Bytes [ FF, 50, 8B, 45, 08, 57, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditNotifyPackageLoad + 97 75751ECC 69 Bytes [ 3D, FD, 00, 00, 8B, C3, D1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditNotifyPackageLoad + DE 75751F13 15 Bytes [ 3B, C7, 8B, 8D, BC, FD, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditNotifyPackageLoad + EE 75751F23 196 Bytes [ 8B, CB, 8B, D1, C1, E9, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIHealthCheck + 1C 75751FE8 9 Bytes [ 69, 00, 61, 00, 6C, 00, 73, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIHealthCheck + 26 75751FF2 12 Bytes [ 00, 00, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIHealthCheck + 33 75751FFF 5 Bytes [ EC, 0C, 83, 65, FC ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIHealthCheck + 39 75752005 36 Bytes [ 83, 65, F8, 00, 53, 8B, 5D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsInitializePromoteInterface + 19 7575202B 48 Bytes [ 85, C0, 89, 45, F4, 76, 20, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsInitializePromoteInterface + 4A 7575205C 32 Bytes [ 66, 83, 24, 5F, 00, 6A, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsInitializePromoteInterface + 6B 7575207D 112 Bytes [ 3D, B7, 00, 00, 00, 89, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsInitializePromoteInterface + DC 757520EE 8 Bytes CALL 75751E0F C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapDsInitializePromoteInterface + E5 757520F7 15 Bytes [ 3B, F7, 0F, 85, 47, FF, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapInitLsa + 19 75752281 74 Bytes [ 06, 00, 00, 08, FF, 75, FC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapInitLsa + 64 757522CC 81 Bytes [ 8B, 45, F0, 8D, 65, E0, 5F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapInitLsa + B6 7575231E 118 Bytes [ 00, 00, 8B, 45, 08, 8B, CE, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapInitLsa + 12D 75752395 5 Bytes [ 0F, 85, B6, 2D, 01 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapInitLsa + 133 7575239B 8 Bytes [ B0, 01, 5F, 5E, 5B, C9, C2, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateAccounts + 8D 757531F9 34 Bytes [ D7, FF, 35, 14, EF, 7C, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateAccounts + B0 7575321C 49 Bytes [ D7, FF, 35, 7C, EF, 7C, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateAccounts + E2 7575324E 47 Bytes [ EC, FF, 75, 08, 6A, 05, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateAccounts + 112 7575327E 78 Bytes [ 73, 75, 68, B6, 30, 73, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateAccounts + 161 757532CD 25 Bytes [ 85, C0, 0F, 84, D3, 3C, 01, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER + DD 757538C4 50 Bytes [ 66, 89, 85, D6, FE, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER + 110 757538F7 4 Bytes [ FF, B5, D8, FE ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER + 115 757538FC 73 Bytes [ FF, FF, 15, D0, 13, 73, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER + 15F 75753946 55 Bytes [ B5, D8, FE, FF, FF, E8, C1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_ACCOUNT_ENUM_BUFFER + 197 7575397E 1 Byte [ C8 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryDomainInformationPolicy + 2C 75753EF0 42 Bytes [ 33, FE, 06, 23, F6, DB, D2, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryDomainInformationPolicy + 57 75753F1B 67 Bytes [ 60, 08, 26, 90, 01, 36, FE, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryDomainInformationPolicy + 9B 75753F5F 110 Bytes [ 01, 3A, FE, 06, 23, F6, DB, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryDomainInformationPolicy + 10A 75753FCE 11 Bytes [ 75, 00, 72, 00, 72, 00, 65, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryDomainInformationPolicy + 116 75753FDA 19 Bytes [ 56, 00, 65, 00, 72, 00, 73, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationPolicy 75754504 13 Bytes JMP 00CBBA85
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationPolicy + E 75754512 83 Bytes [ FF, 3B, C7, 0F, 85, 8F, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationPolicy + 62 75754566 48 Bytes JMP B2FEBAE7
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationPolicy + 93 75754597 13 Bytes CALL 18EAC28A
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationPolicy + A1 757545A5 15 Bytes [ 75, A3, E0, EE, 7C, 75, A3, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetupWasRun + F 75755F7D 51 Bytes [ 88, 9D, F9, FE, FF, FF, 88, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetupWasRun + 43 75755FB1 41 Bytes JMP 75755C43 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetupWasRun + 6D 75755FDB 13 Bytes [ 84, C0, 0F, 85, 11, 01, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetupWasRun + 7C 75755FEA 39 Bytes [ 50, 8D, 46, 08, 50, E8, 9C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetupWasRun + A4 75756012 78 Bytes [ C0, 0F, 85, EB, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyChangeNotification + FD 75756F47 16 Bytes [ 15, 18, 13, 73, 75, E9, 1E, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyChangeNotification + 10E 75756F58 11 Bytes [ 55, 8B, EC, 83, 7D, 08, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyChangeNotification + 11B 75756F65 3 Bytes [ 5D, C2, 04 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyChangeNotification + 11F 75756F69 19 Bytes [ 90, 90, 90, 90, 90, A0, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyChangeNotification + 133 75756F7D 40 Bytes [ FF, 84, C0, 0F, 85, F1, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!ServiceInit + 15 7575A1DC 1 Byte [ 67 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!ServiceInit + 17 7575A1DE 13 Bytes [ 68, 00, 74, 00, 00, 00, 53, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!ServiceInit + 25 7575A1EC 65 Bytes [ 74, 00, 63, 00, 68, 00, 4C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!ServiceInit + 68 7575A22F 20 Bytes [ 00, 53, 00, 65, 00, 49, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!ServiceInit + 7D 7575A244 17 Bytes [ 69, 00, 76, 00, 65, 00, 4C, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIInitializeWellKnownSids + 1C 7575BC75 65 Bytes [ 00, 72, 00, 69, 00, 74, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIInitializeWellKnownSids + 5E 7575BCB7 140 Bytes [ 7D, 14, 89, 4D, DC, 8D, 4D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIInitializeWellKnownSids + EB 7575BD44 87 Bytes [ C7, 45, D8, 01, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIInitializeWellKnownSids + 143 7575BD9C 358 Bytes [ 3B, C3, 75, 12, FF, 76, 08, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIInitializeWellKnownSids + 2AA 7575BF03 37 Bytes [ 56, 8B, 35, 58, 17, 73, 75, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapCheckBootMode + 12 7575C614 71 Bytes [ 4D, D2, FF, 15, A8, 16, 73, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapCheckBootMode + 5A 7575C65C 1 Byte [ FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapCheckBootMode + 5C 7575C65E 9 Bytes [ 90, 90, 4F, 00, 62, 00, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapCheckBootMode + 66 7575C668 7 Bytes [ 63, 00, 74, 00, 4E, 00, 61 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsapCheckBootMode + 6E 7575C670 1 Byte [ 6D ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarGetSystemAccessAccount + 12 7575F5DE 78 Bytes [ FF, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarGetSystemAccessAccount + 61 7575F62D 180 Bytes [ 80, 0E, 20, 8D, 4D, F0, 51, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarGetSystemAccessAccount + 116 7575F6E2 20 Bytes [ 39, 75, FC, 0F, 84, C7, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarGetSystemAccessAccount + 12B 7575F6F7 1 Byte [ 43 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarGetSystemAccessAccount + 12D 7575F6F9 71 Bytes [ 3B, F8, 0F, 85, 0F, 44, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeName + A 7575F771 14 Bytes [ 00, 00, 89, 45, B0, 8B, 47, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeName + 19 7575F780 75 Bytes [ C7, 45, EC, 02, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeName + 65 7575F7CC 2 Bytes [ 89, 45 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeName + 68 7575F7CF 17 Bytes [ 8D, 7D, DC, 57, 8D, 7D, 0F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeName + 7A 7575F7E1 13 Bytes [ B4, 50, 8B, 45, 10, 8D, 53, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivilegesAccount + 41 7575F8A6 12 Bytes [ FF, FF, 75, 22, 8A, 43, 2C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivilegesAccount + 50 7575F8B5 8 Bytes [ 8B, 4D, 30, 8B, 7D, 34, 88, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivilegesAccount + 59 7575F8BE 25 Bytes [ 4B, 20, 8B, F1, A5, A5, A5, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivilegesAccount + 73 7575F8D8 25 Bytes [ 4B, 44, 89, 48, 04, 8B, 43, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivilegesAccount + 8D 7575F8F2 25 Bytes CALL 7573FB42 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecret + 25 7575FBD7 3 Bytes [ FF, 75, 20 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecret + 29 7575FBDB 35 Bytes [ 15, 94, 15, 73, 75, 8B, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecret + 4D 7575FBFF 21 Bytes [ 8B, 45, 08, 8B, 40, 08, 83, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecret + 63 7575FC15 112 Bytes [ B4, E4, FD, FF, 8D, 7B, 0C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecret + D4 7575FC86 23 Bytes [ A4, 89, 75, C4, 8B, 49, 08, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyPasswordChanged + 9 75774187 65 Bytes [ 00, 8B, F8, 8B, CB, 8B, D1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyPasswordChanged + 4B 757741C9 25 Bytes [ 15, C8, 15, 73, 75, 85, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyPasswordChanged + 65 757741E3 8 Bytes [ 75, 18, FF, 15, C4, 15, 73, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyPasswordChanged + 6E 757741EC 43 Bytes [ C0, 7C, 0C, 8B, 45, A4, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyPasswordChanged + 9B 75774219 55 Bytes CALL 7574F117 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICancelNotification + 4 7578141E 71 Bytes [ D8, 85, DB, 75, 04, 33, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICancelNotification + 4C 75781466 2 Bytes [ 7D, 08 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICancelNotification + 4F 75781469 59 Bytes [ 75, 04, 33, C0, EB, 5D, 53, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICancelNotification + 8B 757814A5 90 Bytes [ 15, A0, 16, 73, 75, 85, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICancelNotification + E6 75781500 2 Bytes [ 75, 0C ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeap + 7 7578159F 31 Bytes [ D7, 8B, 45, D0, 03, C0, 66, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeap + 27 757815BF 2 Bytes [ A4, EF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeap + 2B 757815C3 13 Bytes CALL 757397E9 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAllocateHeap + 39 757815D1 98 Bytes CALL 7574D9B0 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackageEx + 2C 75781634 30 Bytes CALL 7574349B C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackageEx + 4B 75781653 60 Bytes [ 55, 8B, EC, 83, EC, 18, 53, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackageEx + 88 75781690 127 Bytes JMP 83C0B70F
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeReturnBuffer + 4 75781710 119 Bytes [ F8, 33, F6, 85, FF, 0F, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeReturnBuffer + 7D 75781789 29 Bytes CALL 75742E87 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeReturnBuffer + 9C 757817A8 17 Bytes [ 1C, 8B, 45, FC, FF, 30, 68, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeReturnBuffer + AE 757817BA 14 Bytes [ 04, 3F, 04, 00, 8B, F8, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeReturnBuffer + BD 757817C9 15 Bytes CALL 7573C4EF C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackage + 1F 757818D7 27 Bytes CALL 757C4F74 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackage + 3B 757818F3 34 Bytes CALL 75734041 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackage + 5E 75781916 61 Bytes CALL 75737611 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackage + 9C 75781954 49 Bytes CALL EB7721CD
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICallPackage + CE 75781986 5 Bytes [ 00, C0, E9, 7E, 02 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetNbAndDnsDomainNames + 4A 75784B8E 98 Bytes [ 00, 01, 00, 89, 9D, 40, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetNbAndDnsDomainNames + AD 75784BF1 75 Bytes [ 85, 78, FF, FF, FF, C7, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetNbAndDnsDomainNames + F9 75784C3D 15 Bytes [ 40, C3, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetNbAndDnsDomainNames + 109 75784C4D 149 Bytes CALL F8EDBF65
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetNbAndDnsDomainNames + 19F 75784CE3 20 Bytes [ C3, 74, 59, FF, 37, 51, 8B, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAddNameToLogonSession 757853C7 14 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAddNameToLogonSession + F 757853D6 104 Bytes [ FF, 15, 90, 13, 73, 75, 83, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAddNameToLogonSession + 78 7578543F 15 Bytes [ 85, C0, 0F, 85, 92, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAddNameToLogonSession + 88 7578544F 32 Bytes [ 35, D8, 11, 73, 75, 57, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetLogonGuidInLogonSession + 15 75785470 2 Bytes [ 68, 1C ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetLogonGuidInLogonSession + 18 75785473 322 Bytes [ 78, 75, FF, 75, F8, FF, D6, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetLogonGuidInLogonSession + 15B 757855B6 47 Bytes [ 74, 00, 65, 00, 6D, 00, 5C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditKdcEvent + B 757855E6 86 Bytes [ 72, 00, 76, 00, 69, 00, 63, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditKdcEvent + 62 7578563D 98 Bytes [ 85, C0, 75, 05, 83, C8, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditKdcEvent + C5 757856A0 26 Bytes [ 75, 10, FF, 75, 14, FF, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditKdcEvent + E0 757856BB 21 Bytes [ 75, 18, FF, 75, 20, 56, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditKdcEvent + F6 757856D1 40 Bytes [ 15, 78, 11, 73, 75, 85, C0, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditSamEvent + 43 75785E30 115 Bytes [ 7D, 08, 74, 2E, 50, FF, 15, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditSamEvent + B8 75785EA5 37 Bytes [ 0F, B7, 4B, 0E, 01, 4D, 08, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditSamEvent + DE 75785ECB 23 Bytes [ 72, 1C, 8B, D1, C1, E9, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditSamEvent + F6 75785EE3 167 Bytes [ 55, E4, 03, C1, C6, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditSamEvent + 19E 75785F8B 58 Bytes [ D2, 89, 4D, 08, 74, 47, 33, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIAuditPasswordAccessEvent + 21 7578644D 311 Bytes [ 5F, 8B, C6, 5E, 5B, C9, C2, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO + 2 75786585 38 Bytes [ FF, 89, 45, FC, A1, 58, F1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER + 2 757865AC 45 Bytes [ 15, C8, 12, 73, 75, 68, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_TRUSTED_ENUM_BUFFER_EX + 17 757865DB 3 Bytes [ 8B, FF, 55 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAI_SECRET_ENUM_BUFFER + 1 757865DF 46 Bytes [ EC, 81, EC, 40, 02, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAI_SECRET_ENUM_BUFFER + 30 7578660E 6 Bytes [ 89, 85, C4, FD, FF, FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAI_PRIVATE_DATA + 1 75786615 13 Bytes [ 45, 24, 33, FF, 3B, C7, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAI_PRIVATE_DATA + F 75786623 82 Bytes [ FF, 09, 00, 00, 00, 74, 0D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER + 26 75786676 97 Bytes [ 0F, 84, 8D, 04, 00, 00, A1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER + 88 757866D8 100 Bytes [ FF, 89, BD, DC, FD, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER + ED 7578673D 24 Bytes [ FD, FF, FF, 85, C9, 74, 3C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER + 106 75786756 24 Bytes [ FF, 8B, 85, C8, FD, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAPR_PRIVILEGE_ENUM_BUFFER + 11F 7578676F 29 Bytes [ FF, 8D, 04, 80, 89, 8C, 85, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetTimesSecret + 4A 7578CCDF 49 Bytes [ 89, 4B, 0C, C7, 43, 04, 08, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetTimesSecret + 7C 7578CD11 138 Bytes [ 8B, 46, 0C, 89, 43, 08, C7, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetTimesSecret + 107 7578CD9C 121 Bytes [ 80, 83, 7D, C8, 00, 7C, 2D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetTimesSecret + 181 7578CE16 7 Bytes [ FF, 55, 8B, EC, 53, 57, BF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetTimesSecret + 189 7578CE1E 58 Bytes [ FB, 7C, 75, 57, FF, 15, 94, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateSecret + 2 7578D09A 48 Bytes [ 83, E0, 0F, 23, D3, 0B, C2, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateSecret + 33 7578D0CB 99 Bytes [ 00, C0, EB, 2F, 8B, 45, 10, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateSecret + 97 7578D12F 44 Bytes [ 00, 00, 53, 56, 8B, 75, 08, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateSecret + C4 7578D15C 88 Bytes [ 17, 73, 75, 8B, 75, 0C, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateSecret + 11D 7578D1B5 21 Bytes [ 5E, 5B, 8B, 45, FC, C9, C2, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIEnumerateSecrets + 19 7578D378 21 Bytes [ 55, 8B, EC, 68, 9C, ED, 76, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIEnumerateSecrets + 30 7578D38F 37 Bytes [ 33, C0, 5D, C2, 08, 00, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIEnumerateSecrets + 56 7578D3B5 20 Bytes [ 5D, 0C, 56, 57, 89, 85, F0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIEnumerateSecrets + 6B 7578D3CA 44 Bytes [ 8D, BD, E2, F7, FF, FF, AB, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIEnumerateSecrets + 98 7578D3F7 1 Byte [ 85 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIChangeSecretCipherKey + 4A 7578D654 61 Bytes [ 30, 00, 38, 00, 6C, 00, 78, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIChangeSecretCipherKey + 88 7578D692 1 Byte [ 78 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIChangeSecretCipherKey + 8A 7578D694 89 Bytes [ 25, 00, 30, 00, 32, 00, 78, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIChangeSecretCipherKey + E4 7578D6EE 30 Bytes [ 75, 07, B8, 17, 00, 00, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIChangeSecretCipherKey + 103 7578D70D 9 Bytes [ C2, 0C, 00, 90, 90, 90, 90, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIKerberosRegisterTrustNotification + 4C 7578DBC0 122 Bytes [ 90, 90, 90, 90, 8B, 45, EC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIKerberosRegisterTrustNotification + C7 7578DC3B 26 Bytes CALL 757853C7 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIKerberosRegisterTrustNotification + E2 7578DC56 27 Bytes [ FF, FF, FF, 75, D4, FF, 35, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIKerberosRegisterTrustNotification + FE 7578DC72 184 Bytes [ 90, 90, 90, 90, 90, 90, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIKerberosRegisterTrustNotification + 1B7 7578DD2B 114 Bytes [ A4, 15, 73, 75, 6A, 01, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIDsNotifiedObjectChange + C 7578ED8F 32 Bytes [ 8D, 85, DC, FD, FF, FF, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIDsNotifiedObjectChange + 2D 7578EDB0 1 Byte [ 85 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIDsNotifiedObjectChange + 2F 7578EDB2 36 Bytes [ 89, 85, F0, FD, FF, FF, 0F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIDsNotifiedObjectChange + 54 7578EDD7 24 Bytes CALL 757AE4B9 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIDsNotifiedObjectChange + 6D 7578EDF0 117 Bytes [ B5, F4, FD, FF, FF, 8D, 44, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomainByName + 16 7578FEAB 34 Bytes [ 00, 00, 00, C7, 40, 18, 01, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomainByName + 39 7578FECE 51 Bytes [ 03, FF, 35, A4, EF, 7C, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIForestTrustFindMatch + 2 7578FF02 2 Bytes [ A1, 3C ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIForestTrustFindMatch + 5 7578FF05 14 Bytes [ 7C, 75, 85, C0, 74, 13, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIForestTrustFindMatch + 14 7578FF14 16 Bytes [ 10, FF, 75, 0C, 50, E8, 70, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIForestTrustFindMatch + 25 7578FF25 30 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSA_FOREST_TRUST_INFORMATION + 15 7578FF44 116 Bytes [ 00, AB, 75, 13, 8B, 45, 08, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSA_FOREST_TRUST_COLLISION_INFORMATION + 62 7578FFB9 102 Bytes [ 75, D0, C6, 45, D4, 00, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSA_FOREST_TRUST_COLLISION_INFORMATION + C9 75790020 2 Bytes [ 1E, 40 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSA_FOREST_TRUST_COLLISION_INFORMATION + CD 75790024 75 Bytes [ 8B, F8, 85, FF, 89, 7D, EC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomain + 3F 75790070 25 Bytes CALL 126156C5
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomain + 59 7579008A 4 Bytes [ FF, 75, 18, 89 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomain + 5E 7579008F 1 Byte [ B8 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomain + 60 75790091 33 Bytes CALL 0335461F
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenTrustedDomain + 82 757900B3 108 Bytes CALL 218F0008
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFilterSids + 1B 75790181 63 Bytes [ 0F, B7, C7, 53, 99, 5F, F7, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFilterSids + 5C 757901C2 2 Bytes [ 5D, 03 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFilterSids + 61 757901C7 2 Bytes [ 41, 04 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFilterSids + 65 757901CB 37 Bytes [ 0F, 84, 49, 03, 00, 00, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFilterSids + 8B 757901F1 82 Bytes [ 31, 66, 3B, FE, 0F, 82, 28, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInfoTrustedDomain + 33 757903CF 77 Bytes [ 79, 24, 00, 0F, 84, 42, 01, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInfoTrustedDomain + 81 7579041D 23 Bytes [ 01, 00, 00, 8D, 41, 08, 85, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInfoTrustedDomain + 99 75790435 16 Bytes [ 00, 00, 0F, B7, C6, 6A, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInfoTrustedDomain + AA 75790446 49 Bytes [ 00, 00, 0F, B7, C7, 53, 99, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryInfoTrustedDomain + DC 75790478 260 Bytes [ C0, 0F, 85, A4, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfoByName + 1D 75791D5A 39 Bytes [ FF, C7, 85, 08, FE, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfoByName + 45 75791D82 24 Bytes [ 00, 89, 95, 18, FE, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfoByName + 5E 75791D9B 20 Bytes [ 88, 9D, 31, FE, FF, FF, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfoByName + 74 75791DB1 33 Bytes [ C6, 85, 15, FE, FF, FF, 01, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfoByName + 96 75791DD3 35 Bytes [ FF, 88, 9D, 32, FE, FF, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationTrustedDomain + 1 75792824 47 Bytes [ 40, 30, 83, F8, 02, 74, 05, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationTrustedDomain + 31 75792854 126 Bytes [ C7, 40, 18, 01, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationTrustedDomain + B0 757928D3 86 Bytes [ 89, 30, EB, 19, C7, 45, FC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationTrustedDomain + 107 7579292A 253 Bytes [ 6A, 02, 6A, 02, 50, E8, D3, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetInformationTrustedDomain + 205 75792A28 26 Bytes [ FF, 55, 8B, EC, A1, 64, E3, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetTrustedDomainInfoByName + 40 75793A6B 23 Bytes CALL 01793A6D
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetTrustedDomainInfoByName + 58 75793A83 21 Bytes [ 00, C7, 85, F0, FD, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetTrustedDomainInfoByName + 6E 75793A99 18 Bytes [ 00, 00, 89, 4D, EC, E9, 13, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetTrustedDomainInfoByName + 81 75793AAC 4 Bytes [ 00, 8B, 55, 10 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetTrustedDomainInfoByName + 87 75793AB2 129 Bytes [ F8, 6A, 08, 59, 8B, F2, 8D, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomains + F 75793DA3 74 Bytes [ 8B, 55, D0, 89, 8D, E8, FD, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomains + 5A 75793DEE 66 Bytes [ E5, FD, FF, FF, C7, 85, F0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomains + 9D 75793E31 4 Bytes [ 8B, 88, A0, 02 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomains + A2 75793E36 51 Bytes [ 00, 89, 4B, 10, 8B, 80, A4, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomains + D6 75793E6A 21 Bytes [ 8D, 85, A8, FD, FF, FF, 50, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomainsEx + 20 75794121 34 Bytes [ E4, 50, 8B, 45, F8, 83, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomainsEx + 43 75794144 4 Bytes [ 8B, 75, 10, 33 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomainsEx + 48 75794149 38 Bytes [ 8D, 4E, 30, 89, 4D, 0C, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomainsEx + 6F 75794170 14 Bytes [ 45, F8, 8D, 48, 2C, 83, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumerateTrustedDomainsEx + 7E 7579417F 39 Bytes [ 45, F0, F7, D8, 1B, C0, 23, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeForestTrustInfo + F 75794454 2 Bytes [ C6, 56 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeForestTrustInfo + 13 75794458 23 Bytes CALL 75735883 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeForestTrustInfo + 2B 75794470 143 Bytes [ 45, FC, 3B, C3, 76, 1E, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeForestTrustInfo + BC 75794501 177 Bytes [ 8D, 85, A8, FD, FF, FF, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFreeForestTrustInfo + 16E 757945B3 1 Byte [ 08 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryForestTrustInfo + 53 75794A5D 95 Bytes [ 46, 02, 66, 8B, 0E, 66, 3B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryForestTrustInfo + B3 75794ABD 3 Bytes [ FF, 75, 14 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryForestTrustInfo + B7 75794AC1 6 Bytes [ 75, 10, E8, 09, C6, FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryForestTrustInfo + BE 75794AC8 1 Byte [ 8B ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryForestTrustInfo + C0 75794ACA 62 Bytes [ 3B, FB, 0F, 8C, F8, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAP_SUBNET_INFO + 4 75794E05 145 Bytes [ 7D, 0C, F6, 47, 03, 80, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetClientDnsHostName + B 75794E98 49 Bytes [ 3B, C6, 8B, 0F, 89, 4D, D8, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetClientDnsHostName + 3D 75794ECA 127 Bytes [ 8D, 45, EC, 50, 6A, 05, 8D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetClientDnsHostName + BD 75794F4A 3 Bytes [ 77, 48, 50 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetClientDnsHostName + C1 75794F4E 45 Bytes [ 15, D0, 15, 73, 75, 84, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetClientDnsHostName + EF 75794F7C 92 Bytes [ 47, 04, 89, 38, 89, 7D, D4, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAP_SITE_INFO 75795465 39 Bytes [ 90, 90, 8B, FF, 55, 8B, EC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIFree_LSAP_SITE_INFO + 28 7579548D 50 Bytes [ 89, 02, 8B, 43, 0C, 89, 42, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaINotifyNetlogonParametersChangeW + 1D 757954C0 20 Bytes [ 74, 0E, 8D, 73, 38, 8D, 7A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSiteName + 10 757954D5 21 Bytes [ 14, 89, 42, 20, 83, 63, 48, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSiteName + 26 757954EB 216 Bytes [ 43, 04, 89, 33, 89, 18, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSiteName + FF 757955C4 227 Bytes [ 75, 18, 8D, 47, 08, 50, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSiteName + 1E3 757956A8 46 Bytes [ 3B, 3B, FB, 74, 1E, 56, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSiteName + 212 757956D7 101 Bytes [ FF, 55, 8B, EC, 81, EC, 70, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySiteInfo + 2 7579573D 15 Bytes [ 89, 45, AC, 8D, 45, F0, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySiteInfo + 12 7579574D 55 Bytes [ 85, BC, FE, FF, FF, A1, BC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySiteInfo + 4A 75795785 126 Bytes [ 03, 00, C7, 45, F0, 03, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySiteInfo + C9 75795804 27 Bytes [ 24, FF, FF, FF, 8B, 40, 04, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySiteInfo + E5 75795820 1 Byte [ 64 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySubnetInfo + BA 75795997 50 Bytes [ 83, 3D, BC, EB, 7C, 75, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySubnetInfo + EE 757959CB 19 Bytes [ 80, 8D, 45, F8, 50, 8B, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySubnetInfo + 102 757959DF 37 Bytes [ 8B, F0, 3B, F7, 74, 06, 85, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySubnetInfo + 128 75795A05 14 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQuerySubnetInfo + 137 75795A14 16 Bytes [ DB, 56, 8B, 75, 0C, 89, 1E, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryUpnSuffixes + 74 75795BF5 29 Bytes CALL 7579CB07 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryUpnSuffixes + 92 75795C13 7 Bytes [ FF, 39, B5, F8, FD, FF, FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryUpnSuffixes + 9B 75795C1C 1 Byte [ 06 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryUpnSuffixes + 9F 75795C20 65 Bytes [ 39, B5, E4, FD, FF, FF, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIQueryUpnSuffixes + E1 75795C62 125 Bytes JMP 75795D05 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetBootOption + 51 757964B0 47 Bytes [ 10, 83, 38, 00, 0F, 95, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetBootOption + 81 757964E0 52 Bytes [ FC, 8B, 45, 08, 56, BE, 33, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetBootOption + B6 75796515 43 Bytes [ 0A, B8, DD, 00, 00, C0, E9, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetBootOption + E4 75796543 15 Bytes [ AB, AB, AB, 8D, 85, F8, FD, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetBootOption + F4 75796553 32 Bytes CALL 757AE550 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetBootOption + 2 75796590 43 Bytes [ FF, 50, 8B, 85, F8, FD, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetBootOption + 2E 757965BC 53 Bytes [ 00, 33, C9, 39, 8D, DC, FD, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetBootOption + 65 757965F3 2 Bytes [ 41, 83 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetBootOption + 68 757965F6 5 Bytes [ 0C, 3B, 8D, DC, FD ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetBootOption + 6F 757965FD 47 Bytes [ 72, D1, 8B, 85, F8, FD, FF, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetForestTrustInformation + 9 75797E8D 115 Bytes [ 46, 3C, 83, C0, 0C, 39, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetForestTrustInformation + 7D 75797F01 78 Bytes [ 39, 36, 75, E2, 8B, 45, 08, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetForestTrustInformation + CC 75797F50 7 Bytes [ 55, 8B, EC, 8B, 45, 08, 53 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetForestTrustInformation + D4 75797F58 211 Bytes [ 5D, 0C, 56, 57, 6A, 0B, 59, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetForestTrustInformation + 1A8 7579802C 46 Bytes [ 33, F6, 8B, C6, 5E, 5D, C2, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryForestTrustInformation + 27 75799D2B 70 Bytes [ 83, C0, 16, 3B, 05, 8C, FC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryForestTrustInformation + 6F 75799D73 10 Bytes CALL C5825DFB
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryForestTrustInformation + 7A 75799D7E 8 Bytes [ 8B, F0, 85, F6, 0F, 84, F8, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryForestTrustInformation + 84 75799D88 12 Bytes [ C7, 06, 48, 65, 61, 70, 83, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryForestTrustInformation + 92 75799D96 22 Bytes [ 00, 83, 66, 08, 00, 8D, 46, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetForestTrustInformation + 5A 75799F1D 13 Bytes [ 71, 04, 89, 30, 8B, 45, E4, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetForestTrustInformation + 68 75799F2B 182 Bytes [ 08, 89, 08, 89, 58, 04, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetForestTrustInformation + 11F 75799FE2 118 Bytes CALL 7579770F C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetForestTrustInformation + 196 7579A059 13 Bytes [ 15, F8, 10, 7D, 75, 8B, F0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetForestTrustInformation + 1A4 7579A067 118 Bytes [ 00, C7, 06, 48, 65, 61, 70, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUpdateForestTrustInformation + 2D 7579A7CB 22 Bytes [ 04, 51, 6A, 00, 6A, 04, 52, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUpdateForestTrustInformation + 44 7579A7E2 9 Bytes [ 45, F8, 0F, 8C, EC, F6, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUpdateForestTrustInformation + 4E 7579A7EC 29 Bytes [ 14, 8B, 4F, 28, 8B, 00, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUpdateForestTrustInformation + 6C 7579A80A 5 Bytes [ 0F, 85, E1, FE, FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUpdateForestTrustInformation + 72 7579A810 25 Bytes [ 8D, 43, 14, 8B, 30, E9, DC, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetPrivateData + 73 7579B17D 61 Bytes [ FF, 8B, 80, B0, 02, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetPrivateData + F 7579B1BC 1 Byte [ B8 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetPrivateData + 11 7579B1BE 3 Bytes [ 5C, C7, FF ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetPrivateData + 15 7579B1C2 15 Bytes [ 39, 5D, CC, 74, 15, 8B, 0D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetPrivateData + 26 7579B1D3 1 Byte [ CC ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetPrivateData + 28 7579B1D5 3 Bytes [ F7, DF, FF ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicySce + 4A 7579B2C8 2 Bytes [ C9, C2 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicySce + 4D 7579B2CB 66 Bytes [ 00, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicySce + 90 7579B30E 22 Bytes [ 45, FC, 8B, 45, 08, 56, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicySce + A7 7579B325 54 Bytes [ 66, 89, 5D, D0, 59, 33, C0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarOpenPolicySce + DE 7579B35C 64 Bytes [ 84, C0, 75, 0A, BF, 0D, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetSerialNumberPolicy + 10 7579B433 54 Bytes [ 8B, 40, 30, EB, 06, 8B, 41, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetSerialNumberPolicy + 48 7579B46B 30 Bytes [ 75, 06, 47, 3B, 7D, C4, 72, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetSerialNumberPolicy + 67 7579B48A 44 Bytes [ EB, 09, 6A, 04, 53, FF, 15, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISetSerialNumberPolicy + 94 7579B4B7 71 Bytes [ CC, 74, 15, 8B, 75, C8, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy2 + 30 7579B4FF 15 Bytes [ 4D, CC, FF, 45, C4, 83, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy2 + 40 7579B50F 222 Bytes [ 45, B8, 8B, 4D, B4, 8B, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy + C7 7579B5EF 62 Bytes [ 00, 89, 5D, 84, 89, 5D, 88, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy + 106 7579B62E 8 Bytes [ FF, 8B, F8, 3B, FB, 0F, 8C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy + 110 7579B638 11 Bytes [ 00, 8B, 45, C0, 8B, 75, B4, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy + 11C 7579B644 69 Bytes [ FF, A1, 8C, EF, 7C, 75, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIGetSerialNumberPolicy + 162 7579B68A 28 Bytes [ 89, 85, C4, FD, FF, FF, 6A, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIIsClassIdLsaClass + AA 7579C9A4 22 Bytes [ 55, 8B, EC, 81, EC, 90, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIIsClassIdLsaClass + C3 7579C9BD 9 Bytes [ F3, AB, 8D, 45, 0C, 50, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIIsClassIdLsaClass + CD 7579C9C7 44 Bytes CALL 7579C8D2 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIIsClassIdLsaClass + FB 7579C9F5 101 Bytes [ 00, 33, FF, 85, F6, 53, 76, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIIsClassIdLsaClass + 162 7579CA5C 11 Bytes CALL 757AE688 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISamIndicatedDsStarted + 43 7579CF1A 39 Bytes [ 0C, 53, 56, 57, 8B, 78, 04, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISamIndicatedDsStarted + 6B 7579CF42 89 Bytes [ 55, 8B, 72, 04, 8B, D9, C1, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISamIndicatedDsStarted + C5 7579CF9C 331 Bytes [ 8B, 45, FC, 5F, 5E, 5B, C9, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISamIndicatedDsStarted + 211 7579D0E8 20 Bytes [ 00, 00, 00, EB, 14, C7, 45, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaISamIndicatedDsStarted + 226 7579D0FD 18 Bytes [ FF, 8B, 45, 0C, C6, 40, 0C, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaILookupWellKnownName + 53 7579D5BA 2 Bytes [ 00, C0 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaILookupWellKnownName + 56 7579D5BD 192 Bytes [ 5A, 8B, 4D, FC, 8B, 71, 0C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaILookupWellKnownName + 118 7579D67F 68 Bytes [ F8, 0F, 8C, 17, 01, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaILookupWellKnownName + 15D 7579D6C4 26 Bytes [ 0F, 84, E4, 00, 00, 00, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaILookupWellKnownName + 178 7579D6DF 32 Bytes CALL E98A9A67
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupNames + 31 7579EBA4 44 Bytes [ FF, 55, 8B, EC, 83, EC, 3C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupNames + 5E 7579EBD1 11 Bytes [ E4, 89, 75, E0, 89, 75, DC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupNames + 6B 7579EBDE 17 Bytes CALL 757A6545 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupNames + 7D 7579EBF0 82 Bytes JMP 7579ED08 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupNames + D0 7579EC43 3 Bytes [ 3B, C6, 89 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUnregisterAllPolicyChangeNotificationCallback + 6F 7579F0FE 64 Bytes [ 78, 08, FF, 0F, 85, 9E, 01, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUnregisterAllPolicyChangeNotificationCallback + B0 7579F13F 8 Bytes [ 45, C0, 8B, 45, E4, 8D, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUnregisterAllPolicyChangeNotificationCallback + B9 7579F148 84 Bytes [ 45, C4, EB, 0E, 3D, DF, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUnregisterAllPolicyChangeNotificationCallback + 10E 7579F19D 38 Bytes [ 00, C0, 0F, 85, 26, 01, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaIUnregisterAllPolicyChangeNotificationCallback + 135 7579F1C4 122 Bytes [ 79, 00, 00, 3B, C3, 89, 45, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaITestCall + 14 7579F89D 58 Bytes [ 00, 00, 8B, 55, 10, 89, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateAccount + 13 7579F8D8 93 Bytes [ 83, 38, 00, 74, 51, 8B, 7D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateAccount + 71 7579F936 30 Bytes [ F0, 10, 83, C0, 08, 3B, 7D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateAccount + 90 7579F955 8 Bytes [ F4, 50, FF, 75, E4, 89, 5D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateAccount + 99 7579F95E 88 Bytes [ 75, D8, 89, 5D, C0, FF, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarCreateAccount + F2 7579F9B7 6 Bytes [ C0, 0F, 85, CB, 00, 00 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarGetQuotasForAccount + 7 7579F9FA 29 Bytes [ 4D, 08, 8B, 45, E0, 8B, 04, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetQuotasForAccount + B 7579FA18 115 Bytes [ 49, 04, 89, 45, 2C, 8D, 44, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetQuotasForAccount + 7F 7579FA8C 44 Bytes [ 45, 28, 39, 30, 76, 09, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetQuotasForAccount + AC 7579FAB9 15 Bytes [ 40, 04, 8B, 44, 38, 04, 3B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetQuotasForAccount + BC 7579FAC9 34 Bytes [ 8B, 45, F4, 8B, 40, 04, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetQuotasForAccount + DF 7579FAEC 2 Bytes [ 70, 04 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarRemovePrivilegesFromAccount + 16 757A0162 4 Bytes [ F4, 0F, 85, A6 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarRemovePrivilegesFromAccount + 1B 757A0167 22 Bytes [ 00, 00, 38, 4B, 12, 0F, 85, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarRemovePrivilegesFromAccount + 32 757A017E 21 Bytes [ 00, FF, 73, 28, FF, 15, CC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSystemAccessAccount + 27 757A01AA 13 Bytes [ C8, 83, E1, 03, F3, A4, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSystemAccessAccount + 35 757A01B8 149 Bytes [ 00, 00, 33, C9, 39, 4D, 0C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSystemAccessAccount + CB 757A024E 32 Bytes [ C0, EB, 0A, C7, 45, F8, 9A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSystemAccessAccount + EC 757A026F 40 Bytes [ 75, F4, FF, 75, F4, 57, E8, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSystemAccessAccount + 115 757A0298 21 Bytes [ 74, 12, 39, 75, F8, 7C, 0D, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivileges + 38 757A05E1 67 Bytes [ 0F, 84, F5, 00, 00, 00, 66, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivileges + 7C 757A0625 8 Bytes [ 85, C0, 74, 22, 0F, B7, 03, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarEnumeratePrivileges + 85 757A062E 118 Bytes CALL 7573B8E8 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeDisplayName + 4B 757A06A5 72 Bytes [ FA, FF, 85, C0, 74, 0B, 3D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeDisplayName + 94 757A06EE 25 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeDisplayName + AE 757A0708 69 Bytes [ FC, 59, 33, C0, 8D, BD, E0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeDisplayName + F4 757A074E 10 Bytes [ FF, 15, A8, 12, 73, 75, EB, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarLookupPrivilegeDisplayName + FF 757A0759 17 Bytes CALL 75734065 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetDomainInformationPolicy + 11 757A20EA 5 Bytes [ 83, C0, 14, 49, 75 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetDomainInformationPolicy + 17 757A20F0 42 Bytes [ 6A, 00, FF, 75, 10, E8, 6F, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetDomainInformationPolicy + 42 757A211B 8 Bytes [ 00, 8B, F8, 85, FF, 7D, 0E, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetDomainInformationPolicy + 4B 757A2124 61 Bytes [ 73, 00, 00, C0, 0F, 84, 5D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetDomainInformationPolicy + 89 757A2162 6 Bytes [ 75, FC, E8, 0C, 3D, 00 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecurityObject + 5 757A24B7 9 Bytes CALL CC2A6A49
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecurityObject + 10 757A24C2 182 Bytes CALL 757A7B48 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecurityObject + C7 757A2579 97 Bytes CALL 7573C108 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecurityObject + 12A 757A25DC 2 Bytes [ E4, 39 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQuerySecurityObject + 12D 757A25DF 3 Bytes [ F8, 7C, 40 ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecurityObject + D 757A2690 61 Bytes [ 45, 1C, 39, 18, 89, 5D, F4, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecurityObject + 4B 757A26CE 43 Bytes JMP 757A28F1 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecurityObject + 77 757A26FA 29 Bytes [ 40, 04, F6, 44, 38, 10, 02, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecurityObject + 95 757A2718 57 Bytes [ FF, 15, 34, 11, 73, 75, 85, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarSetSecurityObject + CF 757A2752 19 Bytes [ F8, 0F, 84, 99, 01, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfo + 76 757A3A3F 33 Bytes JMP 757A3AD4 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfo + 98 757A3A61 55 Bytes [ FF, 58, F5, 7C, 75, C7, 85, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfo + D1 757A3A9A 111 Bytes [ D8, 89, 45, 98, FF, 15, 30, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfo + 141 757A3B0A 21 Bytes [ 85, FF, 7D, 0A, 81, FF, 34, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsarQueryTrustedDomainInfo + 157 757A3B20 40 Bytes [ 0F, 8C, 82, 00, 00, 00, 80, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationProgress + E 757ADC5E 31 Bytes [ 8B, 04, C5, C0, E2, 7C, 75, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationProgress + 2E 757ADC7E 18 Bytes [ F0, 3B, F3, 0F, 8C, E3, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationProgress + 41 757ADC91 16 Bytes [ 04, C5, C4, E2, 7C, 75, 3B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationProgress + 52 757ADCA2 11 Bytes [ B1, 88, 02, 00, 00, 50, 6A, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationProgress + 5E 757ADCAE 63 Bytes [ D7, 8B, F0, 3B, F3, 0F, 8C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationResults + 25 757ADCEE 47 Bytes [ 8B, F0, 3B, F3, 7C, 76, 39, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationResults + 55 757ADD1E 26 Bytes [ 20, 63, F8, FF, 3B, C3, 89, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationResults + 70 757ADD39 51 Bytes [ 8B, F0, 3B, F3, 7C, 2B, 8B, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationResults + A4 757ADD6D 2 Bytes [ 39, 1F ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerGetDcOperationResults + A7 757ADD70 84 Bytes [ 17, 64, A1, 18, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsReplica + C2 757AE221 13 Bytes [ D6, C7, 00, 25, 02, 00, 00, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsReplica + D0 757AE22F 36 Bytes [ 50, FF, B5, E4, FE, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsReplica + F6 757AE255 27 Bytes [ FF, FF, 89, 8D, 04, FF, FF, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsReplica + 112 757AE271 2 Bytes [ FF, 50 ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsReplica + 115 757AE274 5 Bytes [ B5, E4, FE, FF, FF ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDemoteDc + 38 757AE3FA 238 Bytes [ 51, 52, 50, 68, 54, 89, 7C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDemoteDc + 127 757AE4E9 24 Bytes [ 90, 90, 90, 90, 90, FF, 25, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDemoteDc + 140 757AE502 8 Bytes JMP F025FF90
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDemoteDc + 149 757AE50B 49 Bytes [ E0, 7C, 75, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDemoteDc + 17B 757AE53D 8 Bytes [ 90, 90, 90, 90, 90, B8, E4, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsDc + 61 757AE6A9 72 Bytes [ 90, 90, 90, 90, 90, B8, AC, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsDc + AA 757AE6F2 97 Bytes [ 25, A4, E0, 7C, 75, 90, 90, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsDc + 10C 757AE754 62 Bytes [ 90, 90, 90, 90, 90, FF, 25, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsDc + 14B 757AE793 77 Bytes [ 90, 90, 90, 90, 90, B8, A0, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!DsRolerDcAsDc + 199 757AE7E1 90 Bytes [ 00, 85, C0, 75, 0F, FF, 75, ... ]
.text ...
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptProtectData + 34 757BB28F 109 Bytes [ 7C, 08, 8B, 45, F8, 8B, 4D, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptProtectData + A2 757BB2FD 29 Bytes [ 90, 90, 90, 43, 6F, 75, 6C, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptProtectData + C0 757BB31B 118 Bytes [ 74, 20, 6F, 62, 6A, 65, 63, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptProtectData + 137 757BB392 276 Bytes [ 73, 74, 20, 6F, 62, 6A, 65, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + EE 757BB4A7 71 Bytes JMP BDA03812
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + 137 757BB4F0 11 Bytes [ 83, C4, 24, 8D, 45, D4, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + 143 757BB4FC 169 Bytes [ FF, 75, 18, 8D, 45, D8, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + 1ED 757BB5A6 83 Bytes CALL 75734065 C:\WINDOWS\system32\LSASRV.dll (LSA Server DLL/Microsoft Corporation)
.text C:\WINDOWS\system32\lsass.exe[848] LSASRV.dll!LsaICryptUnprotectData + 241 757BB5FA 125 Bytes [ 73, 74, 20, 6F, 62, 6A, 65, ... ]
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2628] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\prodrv06 \Device\ProDrv06 E43D5828
Device \Driver\prohlp02 \Device\ProHlp02 E1022A90

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\GPI\Settings@CtrlS4_1 6773FGA3RT7DQNT6BUJLLNQKLSBEG5VCFIE6LUO7SHRFS28
Reg HKLM\SOFTWARE\Classes\GPI\Settings@CtrlZ2_1 677KJJI3RT7DKGM0A315PKA9RDOE85V53JSMJ7G3SHGOC08
Reg HKLM\SOFTWARE\Classes\GPI\Settings@CtrlZ_1 9F2L1LQPPKQRUNEVBJEKRM28PHPECS72

---- EOF - GMER 1.0.14 ----




MBAM:



Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2

7:51:44 PM 8/6/2008
mbam-log-8-6-2008 (19-51-44).txt

Scan type: Quick Scan
Objects scanned: 44301
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

____________________________________________

Now, I've run this Mbam about 5 times earlier before I posted, and the same thing. It finds things, it says it removes them, but I STILL can't do control/alt/delete, or get into regedit. AS of right now, I still can't. It's like a bog loop. I've been at this for 7 hours, and am NOT giving up. ALso, I've noticed that the only time the pc runs normal, it when I diable the lan connection. After I enable it and browse for about 5 min, then it's super slow again

Edited by Jason B, 06 August 2008 - 07:07 PM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 07 August 2008 - 03:58 AM

Ok, thanks for the logs. :thumbsup:

For the time being I want you to try and stop fixing this yourself - if we're both doing things to fix this we'll run over each other toes (such as the MBAM scan), and we'll both be wasting our time. Don't worry about the entry that's continually being found in the MBAM log, it's a false positive and will always be detected. As soon as MBAM deletes it, Windows replaces it, so don't worry.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, download the following VBS to your desktop: http://www.kellys-korner-xp.com/regs_edits...mcmdrestore.vbs
Close all open windows and double click on it and let it run. Reboot and the PC.

Now please post a new Combofix and we'll get stuck into the fix!!

#9 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 07 August 2008 - 10:14 AM

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


Ok, well, when I try the above, I get the error "registry editing had been disabled by your adminitrator" pop up. The error stays up for 5 seconds, then goes away by itself. I tried clicking fix.reg again, and same thing.... Hmm..

Edited by Jason B, 07 August 2008 - 10:15 AM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 07 August 2008 - 01:31 PM

Ok, please move onto the second step with the VBS script and let me know what happens..

#11 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 07 August 2008 - 02:37 PM

Ok, I tried the script, but after I ran it, it wouldn't let me restart. I started to get errors, one was a "netsh" error. I had to manually turn off the computer to reboot it. After I rebooted, I'm getting this error after the desktop loads. After I hit cancel about 10 times, it will go away, and sometimes comes back. I can access my desktop still. See error box below:

Attached File  no_disk_error.jpg   14.99KB   18 downloads

I just ran a new combofix log am pasting it below. That's really the only step that it will let me do.
When combo fix was running near the end, I was getting popups that said "regitry editor has been disable by your adminitrator" again.

__________________________________________________

ComboFix 08-08-06.01 - Owner 2008-08-07 15:37:27.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.645 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\54809\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-07 01:43 . 2008-08-07 01:45 150 --a------ C:\WINDOWS\vuepro32.ini
2008-08-07 01:35 . 2008-08-07 01:35 770,144 --a------ C:\WINDOWS\vuepro80.exe
2008-08-07 00:42 . 2008-08-07 00:42 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-06 21:09 . 2008-08-06 21:09 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-06 21:09 . 2008-08-07 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-06 21:09 . 2008-08-06 21:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-06 21:09 . 2008-08-06 21:09 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-06 21:09 . 2008-08-06 21:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-06 20:59 . 2008-08-06 20:59 <DIR> d-------- C:\Program Files\Panda Security
2008-08-06 20:59 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-06 18:58 . 2008-08-06 19:00 250 --a------ C:\WINDOWS\gmer.ini
2008-08-06 16:33 . 2008-08-06 16:33 171,519 -r-hs---- C:\soqht.pif
2008-08-06 16:09 . 2008-08-06 16:09 171,519 -r-hs---- C:\fylmks.exe
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-06 12:44 . 2008-08-06 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 12:44 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-06 12:44 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 01:05 . 2008-08-01 01:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-08-01 01:03 . 2008-08-01 01:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-26 11:39 . 2008-08-01 08:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-13 18:09 . 2008-07-13 18:09 244 --ah----- C:\sqmnoopt00.sqm
2008-07-13 18:09 . 2008-07-13 18:09 232 --ah----- C:\sqmdata00.sqm
2008-07-10 00:25 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 04:37 --------- d-----w C:\Program Files\Symantec
2008-08-07 04:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-07 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-07 03:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 08:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-08-01 15:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 17:22 --------- d-----w C:\Program Files\7-Zip
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-05-23 02:28 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-23 02:28 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-05-23 01:44 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-05-23 01:44 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-05-23 01:44 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-05-23 01:44 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-05-23 01:44 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-05-23 01:44 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-05-23 01:44 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-02-19 01:09 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-02-19 01:09 161,336 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-05-05 07:42 1 ----a-w C:\Documents and Settings\Owner\SI.bin
2004-09-01 17:51 220 --sha-w C:\WINDOWS\dwin.sys
2005-01-08 02:20 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 143412]
SnagIt 8.lnk - C:\OLD_D\Program Files\Snagit\SnagIt32.exe [2007-05-01 12:11:48 6469192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.UYVY"= C:\WINDOWS\system32\msyuv.dll
"VIDC.YUY2"= ATIVYUY.DLL
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bandook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Comm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-04-27 18:18 135168 C:\OLD_D\Program Files\aim5_9\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-11-04 19:13 147531 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2004-01-09 05:34 106496 c:\Program Files\HP\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
--a------ 2002-03-19 17:30 45632 C:\WINDOWS\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1763840 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5748080 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 21:34 5492736 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-21 04:49 487424 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2003-11-03 20:50 221184 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 03:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSI Loader]
--a------ 2001-02-20 13:00 102400 C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 202128 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2004-02-27 10:05 208896 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
--a------ 2007-08-01 09:28 1638400 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-20 02:48 263456 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--a------ 2005-04-28 17:59 184320 C:\OLD_D\Program Files\ulead_movie_factory\Ulead Quick-Drop 1.0\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 12:01 184320 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
--a------ 2004-12-23 17:27 155648 C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--------- 2003-07-14 10:52 110592 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-08-17 19:39 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 21:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SpyHunter"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\OLD_D\\Program Files\\aim5_9\\aim.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\OLD_D\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\OLD_D\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\ctfmon.exe"=
"C:\\WINDOWS\\LTMSG.exe"=
"C:\\Program Files\\Common Files\\Smith Micro Shared\\FAX\\SMLoader.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 SABDIFSV;SABDIFSV;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
R1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\nmmppi.sys []
S3 ATICDSDr;ATICDSDr;C:\Program Files\ATI Technologies\ATI Control Panel\atiicdxx.sys [2002-11-06 14:48]
S3 CPQDAP01;Compaq PA-1 Personal Audio Player USB Driver;C:\WINDOWS\system32\Drivers\CPQDAP01.sys [2001-08-17 14:24]
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{430F3B19-E51E-44B8-A369-7E9E7D1714CA}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 14:58]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e71w2wwp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 15:40:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-07 15:44:14
ComboFix-quarantined-files.txt 2008-08-07 19:44:12
ComboFix2.txt 2008-08-06 20:49:15
ComboFix3.txt 2008-08-06 19:52:29
ComboFix4.txt 2008-01-06 20:13:44
ComboFix5.txt 2008-08-07 19:37:14

Pre-Run: 13,957,423,104 bytes free
Post-Run: 13,945,286,656 bytes free

249 --- E O F --- 2008-07-11 07:36:52

Edited by Jason B, 07 August 2008 - 02:48 PM.


#12 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 08 August 2008 - 11:03 AM

Hey, you still around? Need help very bad.

*** I will definitely be giving you a DONATION when we get this fixed!!! I appreciate your time.

Edited by Jason B, 08 August 2008 - 01:17 PM.


#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 08 August 2008 - 01:32 PM

Yep I'm still with you John! We had a major downtime on the site last night where no-one could logon, hence the delay.
I want to run a tool that I hope will restore the system priviledges you've lost, we can then tackle the malware you have.
I've looked through your GMER log and I don't see a rootkit, so that's a promising sign! :thumbsup:

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

#14 Jason B

Jason B
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 08 August 2008 - 02:27 PM

Attached File  sdfix.jpg   52.58KB   16 downloads

Hey! There is no "y" option listed??? See above.

It also mentions to run in safe mode, but I can't even do that, as safe mode won't work since I got these viruses. I tried to get into safe mode before I posted my issue on here and no luck.. Ideas????

Edited by Jason B, 08 August 2008 - 02:32 PM.


#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:20 PM

Posted 08 August 2008 - 02:48 PM

Run SDfix again and choose 'D' to export the safeboot keys.
A notepad file should open and please C&P the contents back here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users