Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Help


  • This topic is locked This topic is locked
17 replies to this topic

#1 warnog

warnog

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 01 April 2009 - 01:17 AM

Been having a problem with some malware. I did a removal of TR/Vundo but maybe I missed something or another malware is present. Here is the HiJackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:57 PM, on 3/31/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VisualContext - {50F0B8B6-89B9-A9E3-BDBC-5B0870F23209} - C:\Program Files\VisualContext\VisualContext-2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5d84ff39-c9c0-4a88-ac86-9b0bbae5d636} - C:\WINDOWS\System32\suzezufu.dll (file missing)
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera (VC0305)
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [zisepinasi] Rundll32.exe "C:\WINDOWS\System32\suwidusu.dll",s
O4 - HKLM\..\Run: [6c51e054] rundll32.exe "C:\WINDOWS\System32\lipoyiya.dll",b
O4 - HKLM\..\Run: [CPM6f62d3c8] Rundll32.exe "c:\windows\system32\sawikali.dll",a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [zisepinasi] Rundll32.exe "C:\WINDOWS\System32\vunogenu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zisepinasi] Rundll32.exe "C:\WINDOWS\System32\vunogenu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1183056311641
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: tgxnvj.dll mxhsns.dll C:\WINDOWS\System32\weloyifa.dll c:\windows\system32\sawikali.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sawikali.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sawikali.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13236 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:09:49 AM

Posted 08 April 2009 - 05:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 warnog

warnog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 09 April 2009 - 12:43 PM

A/V has been saying that it is a TR/Vundo.Gen Trojan. I tried a vundo removal tool but it did not work for me. Thanks for the help.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Joshua at 10:37:14.04 on Thu 04/09/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_02

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://yahoo.sbc.com/dsl
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://ie.search.msn.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: VisualContext: {50f0b8b6-89b9-a9e3-bdbc-5b0870f23209} - c:\program files\visualcontext\VisualContext-2.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5d84ff39-c9c0-4a88-ac86-9b0bbae5d636} - c:\windows\system32\suzezufu.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [D-Link Air Utility] c:\program files\d-link\air utility\AirCFG.exe
mRun: [ANIWZCSService] c:\program files\alpha networks\aniwzcs service\WZCSLDR.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE Vimicro USB PC Camera (VC0305)
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [zisepinasi] Rundll32.exe "c:\windows\system32\suwidusu.dll",s
mRun: [6c51e054] rundll32.exe "c:\windows\system32\lipoyiya.dll",b
mRun: [CPM6f62d3c8] Rundll32.exe "c:\windows\system32\sawikali.dll",a
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - {EC4548D7-1F09-4FC2-BB95-E34724CF3D60} http://uk.trendmicro-europe.com/enterprise...usecall_pre.php - http://uk.trendmicro-europe.com/enterprise...;inprocserver32 does not exist!
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} - hxxps://signup.msn.com/pages/MsnInstC.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183056311641
DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - hxxp://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
DPF: {AECD14A8-F662-11D1-A395-00805F535788} - hxxp://www.investors.com/member/ocx/plotwon.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\getright\xx2gr.dll
AppInit_DLLs: tgxnvj.dll mxhsns.dll c:\windows\system32\weloyifa.dll c:\windows\system32\sawikali.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sawikali.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\sawikali.dll
LSA: Notification Packages = scecli c:\windows\system32\weloyifa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joshua\applic~1\mozilla\firefox\profiles\k12m1ust.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|https://cas.csuchico.edu/cas/login?service=https://portal.csuchico.edu/uPortal/Login
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={E57424C4-267D-AC45-EFD4-A8A914BEC8C8}&q=

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-01 11:52 24,576 a------- c:\windows\system32\VundoFixSVC.exe
2009-03-31 19:19 <DIR> --d----- c:\program files\Trend Micro
2009-03-31 18:57 <DIR> --d----- C:\VundoFix Backups
2009-03-31 18:26 <DIR> --d----- c:\windows\ERUNT
2009-03-31 18:22 <DIR> --d----- C:\SDFix
2009-03-31 17:17 1,403,710 ---sh--- c:\windows\system32\ayiyopil.ini
2009-03-17 00:22 <DIR> --d----- c:\docume~1\joshua\applic~1\W Photo Studio Viewer
2009-03-11 22:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tarma Installer
2009-03-11 22:27 <DIR> --d----- c:\docume~1\joshua\applic~1\Smith Micro
2009-03-11 22:27 33,664 a------- c:\windows\system32\drivers\disk.sys
2009-03-11 22:24 <DIR> --d----- c:\docume~1\joshua\applic~1\Sprint Desktop Sync
2009-03-11 22:24 <DIR> --d----- c:\program files\Sprint Desktop Sync
2009-03-11 22:23 <DIR> --d----- c:\program files\Samsung
2009-03-11 22:21 222,552 -------- c:\windows\RM.exe
2009-03-11 22:21 <DIR> --d----- c:\program files\Sprint Instinct Applications

==================== Find3M ====================

2009-03-31 17:17 106,496 -------- c:\windows\system32\sawikali.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-11-25 23:52 87,608 a------- c:\docume~1\joshua\applic~1\inst.exe
2007-11-25 23:52 47,360 a------- c:\docume~1\joshua\applic~1\pcouffin.sys
2004-07-18 03:03 9,256 a------- c:\program files\resume.zip
2002-09-13 08:35 1,798 a------- c:\program files\norton-etc.html
2007-11-06 16:48 56 ---shr-- c:\windows\system32\E6248BBED6.sys
2007-11-06 16:48 952 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:38:03.41 ===============



==== Installed Programs ======================

100 Best Arcade Games
12Sky
2Wire Wireless Client
3D Ball of Defiance 2.0
Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 6.0
Air Utility
ANIO Service
ANIWZCS Service
AstroPop 1.0.0.1
AT&T Yahoo! Applications
AT&T Yahoo! High Speed Internet Home Networking Installer
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
Azureus Vuze
BHA B's Recorder GOLD 3.18
BitPim 0.8.08
Canon MP Navigator 2.2
Canon MP530
Canon MP530 User Registration
Canon Utilities Easy-PhotoPrint
ccCommon
ConvertXtoDVD 2.2.3.258h
ConvertXtoDVD 3.2.4.82
Creative Audio Console
Diego
DivX 5.0.3 Pro Bundle
DK2 DESkey Drivers
DriverAgent by TouchStone Software
DriverGuide Toolkit
Easy-WebPrint
FlashFXP v3
FLS-4 Driver Installation
FLV Player 2.0 (build 25)
FontInstaller
FrostWire 4.17.2
GameSpy 3D
GetRight
Google Earth
Hex Workshop v4.23
HijackThis 2.0.2
ImgBurn (Remove Only)
Internet Explorer Q822925
InterVideo DirectShow Filter 2.6
InterVideo WinDVD Platinum
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_07
Java Web Start
Java™ 6 Update 2
Kazaa Media Desktop 2.1.1
LG USB Modem driver
LightScribe 1.4.136.1
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Office 2000 SR-1 Professional
Microsoft Visual C++ 2005 Redistributable
MobiMB Mobile Media Browser
Mozilla Firefox (3.0.8)
MSN Music Assistant
MSRedist
MySpaceIM
Need2Find Bar
Nero 7 Essentials
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton PartitionMagic
Norton PartitionMagic 8.0
Norton Speed Disk 6.0 for Windows NT
Norton Utilities 2002 for Windows
NVIDIA Drivers
Outlook Express Update Q330994
Presto! PageManager 7.15.14
QuickTime 3.0
RealFlight G2 NexSTAR Simulator
RealPlayer
RGSS-RTP Standard
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
ScanSoft OmniPage SE 4.0
Serials 2005
SPBBC
Spotmau Wincare 2008
Sprint Desktop Sync
Sprint media manager
Symantec
Symantec Script Blocking Installer
SymNet
TaxCut 2002
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax ItsDeductible 2005
USB Converter Driver
USB Mini Driver
USB Universal Driver
Vampire - The Masquerade Bloodlines
Vimicro USB PC Camera (VC0305)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VisualContext
WebFldrs XP
WexTech AnswerWorks
Winamp
Winamp Remote
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.0 (KB884016)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q282010 for more information]
Windows XP Hotfix (SP1) [See Q307869 for more information]
Windows XP Hotfix (SP1) [See Q308210 for more information]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q310437 for more information]
Windows XP Hotfix (SP1) [See Q310510 for more information]
Windows XP Hotfix (SP1) [See Q311542 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314147 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q316397 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q318388 for more information]
Windows XP Hotfix (SP1) [See Q318966 for more information]
Windows XP Hotfix (SP1) [See Q319322 for more information]
Windows XP Hotfix (SP1) [See Q319949 for more information]
Windows XP Hotfix (SP1) [See Q320174 for more information]
Windows XP Hotfix (SP1) [See Q320552 for more information]
Windows XP Hotfix (SP1) [See Q320678 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q323322 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinPcap 3.1
WinRAR archiver
World of Warcraft
XviD MPEG-4 Codec
Yahoo! Toolbar
Zuma Deluxe RA

==== End Of File ===========================

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 09 April 2009 - 08:28 PM

Hello.

Let's run Combofix. This is a very powerful tool and should not be used regularly nor should it be used for private uses unless guided upon an expert.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 warnog

warnog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 10 April 2009 - 12:13 AM

My video card was acting up and restarted the system after the scan when it restarted and was created the log. So there is no log file to post. However my a/v is not popping up with a warning that there is any tr/vundo.gen trojan like it was before. If there is another scan you would like me to run to ensure that the system is clean I will gladly do it. Thank you for all your help so far.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 10 April 2009 - 09:12 AM

Okay.

I would want you to let me know if you think everything is fine now and you do not wish to recieve any help or do you want to continue and see what's left? Any of those decision will satisfy me. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 warnog

warnog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 11 April 2009 - 01:54 AM

Nvm the A/v picked up the virus again. I would still like some help. Thx

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 11 April 2009 - 09:23 AM

Hello.

Run Combofix again please. After Combofix is done a log will produced like last time. Post that log.

Also, post the following log as well.

Navigate to your C:\QooBox <- This folder.
Find a text file document called "ComboFix-quarantined-files.txt".

Post back with:
-The Combofix log
-ComboFix-quarantined-files log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 14 April 2009 - 02:46 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 warnog

warnog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 15 April 2009 - 12:49 AM

ComboFix 09-04-14.09 - Joshua 2009-04-14 9:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.1023.693 [GMT -7:00]
Running from: c:\documents and settings\Joshua\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ayiyopil.ini
c:\windows\system32\domjfhyq.ini
c:\windows\system32\hfwiuasw.ini
c:\windows\system32\jlahrglt.ini
c:\windows\system32\oqlmaoqs.ini
c:\windows\system32\scavvayh.ini
.
---- Previous Run -------
.
c:\documents and settings\Joshua\Application Data\inst.exe
c:\program files\MyWebSearch
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\program files\Need2Find
c:\program files\Need2Find\bar\2.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\2.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\2.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\042AA379
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\windows\cdmxtras
c:\windows\patch.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sawikali.dll
c:\windows\system32\wanpacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-10 04:11 . 2006-11-18 02:21 208896 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-10 04:05 . 2009-04-10 04:06 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-10 04:04 . 2009-04-10 04:05 -------- d-----w c:\documents and settings\Joshua\Application Data\SystemRequirementsLab
2009-04-10 03:57 . 2009-04-12 03:08 30120 ----a-w c:\windows\system32\BMXState-{00000002-00000000-00000005-00001102-00000004-00521102}.rfx
2009-04-10 03:57 . 2009-04-12 03:08 27408 ----a-w c:\windows\system32\BMXCtrlState-{00000002-00000000-00000005-00001102-00000004-00521102}.rfx
2009-04-10 03:57 . 2009-04-12 03:08 27408 ----a-w c:\windows\system32\BMXBkpCtrlState-{00000002-00000000-00000005-00001102-00000004-00521102}.rfx
2009-04-10 03:57 . 2009-04-12 03:08 11564 ----a-w c:\windows\system32\DVCState-{00000002-00000000-00000005-00001102-00000004-00521102}.rfx
2009-04-10 03:57 . 2009-04-12 03:08 3162278 ----a-w c:\windows\{00000002-00000000-00000005-00001102-00000004-00521102}.BAK
2009-04-10 03:48 . 2009-04-12 03:08 3162278 ----a-w c:\windows\{00000002-00000000-00000005-00001102-00000004-00521102}.CDF
2009-04-01 18:52 . 2009-04-01 18:52 24576 ----a-w c:\windows\system32\VundoFixSVC.exe
2009-04-01 02:19 . 2009-04-01 02:19 -------- d-----w c:\program files\Trend Micro
2009-04-01 01:57 . 2009-04-01 01:57 -------- d-----w C:\VundoFix Backups
2009-04-01 01:26 . 2009-04-01 01:27 -------- d-----w c:\windows\ERUNT
2009-04-01 01:22 . 2009-04-01 01:55 -------- d-----w C:\SDFix
2009-03-17 07:22 . 2009-03-17 07:24 -------- d-----w c:\documents and settings\Joshua\Application Data\W Photo Studio Viewer
2009-03-15 22:27 . 2009-03-15 22:27 -------- d-----w c:\documents and settings\Joshua\Local Settings\Application Data\Batchwork

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 16:21 . 2003-03-26 11:05 -------- d-----w c:\program files\GetRight
2009-04-10 19:20 . 2009-03-12 05:21 -------- d-----w c:\program files\Sprint Instinct Applications
2009-04-10 04:03 . 2008-09-12 03:10 -------- d-----w c:\program files\VisualContext
2009-04-09 17:45 . 2003-03-26 21:21 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-09 17:45 . 2007-09-10 22:05 -------- d-----w c:\documents and settings\Joshua\Application Data\NewSoft
2009-04-02 22:51 . 2003-03-31 02:24 -------- d-----w c:\program files\Yahoo!
2009-04-02 16:58 . 2008-11-25 23:22 -------- d-----w c:\program files\World of Warcraft
2009-04-02 16:57 . 2007-11-21 07:03 -------- d-----w c:\documents and settings\Joshua\Application Data\Vso
2009-04-02 07:10 . 2007-11-19 05:58 -------- d-----w c:\documents and settings\Joshua\Application Data\Azureus
2009-04-01 18:53 . 2009-04-01 01:57 478 ----a-w C:\VundoFix.txt
2009-03-25 03:10 . 2009-01-29 18:31 -------- d-----w c:\documents and settings\Joshua\Application Data\FrostWire
2009-03-12 05:35 . 2009-03-12 05:35 -------- d-----w c:\documents and settings\All Users\Application Data\Tarma Installer
2009-03-12 05:34 . 2009-03-12 05:27 -------- d-----w c:\documents and settings\Joshua\Application Data\Smith Micro
2009-03-12 05:24 . 2009-03-12 05:24 -------- d-----w c:\documents and settings\Joshua\Application Data\Sprint Desktop Sync
2009-03-12 05:24 . 2009-03-12 05:24 -------- d-----w c:\program files\Sprint Desktop Sync
2009-03-12 05:23 . 2009-03-12 05:23 -------- d-----w c:\program files\Samsung
2009-03-05 17:37 . 2007-11-19 05:58 -------- d-----w c:\program files\Azureus
2009-03-01 10:11 . 2005-06-01 06:40 -------- d-----w c:\program files\Norton Utilities
2009-02-14 02:38 . 2009-01-26 09:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-23 00:48 . 2009-01-23 00:48 1600 ----a-w C:\help.zip_zip_Data Recovery.hhp.cached
2007-11-26 06:52 . 2007-11-21 07:03 47360 ----a-w c:\documents and settings\Joshua\Application Data\pcouffin.sys
2007-11-24 08:11 . 2003-06-25 10:01 25240 ----a-w c:\documents and settings\Joshua\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-07-18 10:03 . 2004-07-18 10:03 9256 ----a-w c:\program files\resume.zip
2002-09-13 15:35 . 2003-06-24 10:05 1798 ----a-w c:\program files\norton-etc.html
.

------- Sigcheck -------

[-] 2001-08-23 12:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\system32\svchost.exe
[-] 2001-08-23 12:00 12800 0F7D9C87B0CE1FA520473119752C6F79 c:\windows\system32\dllcache\svchost.exe

[-] 2001-08-23 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtUninstallQ328310$\user32.dll
[-] 2002-11-01 23:26 528896 68E1F4EF02DF52CA9C5E157045D23582 c:\windows\$xpsp1hfm$\Q328310\user32.dll
[-] 2002-11-22 20:16 528896 1BD18B332A07FD10BF0322C352A78078 c:\windows\system32\user32.dll
[-] 2002-11-22 20:16 528896 1BD18B332A07FD10BF0322C352A78078 c:\windows\system32\dllcache\user32.dll

[-] 2001-08-23 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\system32\ws2_32.dll
[-] 2001-08-23 12:00 75264 8529C295DF59B564D37A73B5629162B1 c:\windows\system32\dllcache\ws2_32.dll

[-] 2002-06-06 20:38 583168 508501E6D5C5D165F9C078AE8F3C9D00 c:\windows\system32\wininet.dll
[-] 2002-06-06 20:38 583168 508501E6D5C5D165F9C078AE8F3C9D00 c:\windows\system32\dllcache\wininet.dll

[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\system32\dllcache\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\system32\drivers\tcpip.sys

[-] 2001-08-23 12:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\system32\winlogon.exe
[-] 2001-08-23 12:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\system32\dllcache\winlogon.exe

[-] 2001-08-23 12:00 161536 3EFD4F59BA0A340DE0A3AB984001DBF7 c:\windows\system32\dllcache\ndis.sys
[-] 2001-08-23 12:00 161536 3EFD4F59BA0A340DE0A3AB984001DBF7 c:\windows\system32\drivers\ndis.sys

[-] 2001-08-23 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtUninstallQ317277$\ntkrnlpa.exe
[-] 2002-02-25 23:33 1897856 01FD1F7C82B263F1667A1CEA095756C5 c:\windows\$NtUninstallQ811493$\ntkrnlpa.exe
[-] 2002-12-12 23:38 1948288 3A3E10244C0124126D250EBCCD41E75B c:\windows\$xpsp1hfm$\Q811493\ntkrnlpa.exe
[-] 2002-02-25 23:33 1897856 01FD1F7C82B263F1667A1CEA095756C5 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2002-12-13 00:09 1902080 21385934893FDAF12A713017B4F66671 c:\windows\system32\ntkrnlpa.exe
[-] 2002-12-13 00:09 1902080 21385934893FDAF12A713017B4F66671 c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2001-08-23 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtUninstallQ317277$\ntoskrnl.exe
[-] 2002-02-25 23:33 1875584 257AAFD1F77990355BB6E83650D52680 c:\windows\$NtUninstallQ811493$\ntoskrnl.exe
[-] 2002-12-12 23:38 1924480 51EF4A22AF3E9E94E4AA9E9D7DF619DF c:\windows\$xpsp1hfm$\Q811493\ntoskrnl.exe
[-] 2002-02-25 23:33 1875584 257AAFD1F77990355BB6E83650D52680 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2002-12-13 00:08 1879936 DB499BE143D626FC8778BE7E18185EB3 c:\windows\system32\ntoskrnl.exe
[-] 2002-12-13 00:08 1879936 DB499BE143D626FC8778BE7E18185EB3 c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2001-08-23 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\explorer.exe
[-] 2001-08-23 12:00 1000960 5A26FC6010886D25B3E412493DD95ED8 c:\windows\system32\dllcache\explorer.exe

[-] 2001-08-23 12:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\system32\services.exe
[-] 2001-08-23 12:00 101376 E3DF4A0252D287C44606EE55355E1623 c:\windows\system32\dllcache\services.exe

[-] 2001-08-23 12:00 11776 8A590EA109B5E0C7629E022F8A6B17C5 c:\windows\system32\lsass.exe
[-] 2001-08-23 12:00 11776 8A590EA109B5E0C7629E022F8A6B17C5 c:\windows\system32\dllcache\lsass.exe

[-] 2001-08-23 12:00 13312 85B1054DB58D13AA42D7DCA778C30F57 c:\windows\system32\ctfmon.exe
[-] 2001-08-23 12:00 13312 85B1054DB58D13AA42D7DCA778C30F57 c:\windows\system32\dllcache\ctfmon.exe

[-] 2001-08-23 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\system32\spoolsv.exe
[-] 2001-08-23 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\windows\system32\dllcache\spoolsv.exe

[-] 2001-08-23 12:00 21504 585398603F570F9705774D65D292E5D1 c:\windows\system32\userinit.exe
[-] 2001-08-23 12:00 21504 585398603F570F9705774D65D292E5D1 c:\windows\system32\dllcache\userinit.exe

[-] 2001-08-23 12:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtUninstallQ311889$\termsrv.dll
[-] 2001-12-12 01:48 197632 17A9BA0ED8B8FB8924A48BF8F7C82348 c:\windows\system32\termsrv.dll
[-] 2001-12-12 01:48 197632 17A9BA0ED8B8FB8924A48BF8F7C82348 c:\windows\system32\dllcache\termsrv.dll

[-] 2001-08-23 12:00 926720 379B0B31D7F8D2C9F7FF302B454A6C54 c:\windows\system32\kernel32.dll
[-] 2001-08-23 12:00 926720 379B0B31D7F8D2C9F7FF302B454A6C54 c:\windows\system32\dllcache\kernel32.dll

[-] 2001-08-23 12:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\system32\powrprof.dll
[-] 2001-08-23 12:00 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\system32\dllcache\powrprof.dll

[-] 2001-08-23 12:00 96768 E046037FD5BCDF92CE1A122B749B9B09 c:\windows\system32\imm32.dll
[-] 2001-08-23 12:00 96768 E046037FD5BCDF92CE1A122B749B9B09 c:\windows\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-03 00:05 348160 ----a-w c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-03 00:05 348160 ----a-w c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-24 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-11-18 7700480]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 58488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-23 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-09-04 3358720]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"BigDogPath"="c:\windows\VM_STI.EXE" [2005-03-01 53248]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-22 507224]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-11-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-11-18 1622016]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-14 54472]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Joshua\Start Menu\Programs\Startup\
Sprint media monitor.lnk - c:\windows\RM.exe [2009-3-11 222552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-3-26 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-4-27 113664]
Start GetRight.lnk - c:\program files\GetRight\getright.exe [2003-3-26 2345984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll
"VIDC.I263"= i263_32.drv
"aux1"= ctwdm32.dll
"MSACM.CEGSM"= mobilev.acm
"aux2"= ctwdm32.dll
"aux3"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton System Doctor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton System Doctor.lnk
backup=c:\windows\pss\Norton System Doctor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

R3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);c:\windows\system32\DRIVERS\atirtcap.sys [2001-08-17 49920]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-28 99352]
R3 CQX;Susteen Virtual Serial Port Driver;c:\windows\system32\DRIVERS\CQX.SYS [2003-03-21 38144]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-28 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2008-06-28 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-28 100888]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-28 566296]
R3 nv3;nv3;c:\windows\system32\DRIVERS\nv3.sys [2001-08-17 198144]
R3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\DRIVERS\PRISMNDS.sys [2003-07-17 652288]
R3 Sus2pl;Susteen Universal Cable II;c:\windows\system32\DRIVERS\sus2pl.sys [2004-03-31 43392]
S0 avgntmgr;avgntmgr;c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys [2008-01-22 22336]
S1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-05-09 45376]
S1 FolderProtectDriver;FolderProtectDriver;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-11 15616]
S2 DK2DRV;DK2 WindowsNT Driver;c:\windows\System32\Drivers\DK2DRV.SYS [1999-10-26 31020]
S2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\System32\Drivers\fle5wnnt.sys [2006-03-16 33404]
S2 FLSIFACE;FLSIFACE;c:\windows\System32\Drivers\flsiface.sys [2006-03-16 12768]
S2 FLSPAR;FLSPAR;c:\windows\System32\Drivers\flspar.sys [2006-03-16 16314]
S2 FLSSER;FLSSER;c:\windows\System32\Drivers\flsser.sys [2006-03-16 8344]
S2 FLSVCOM;FLSVCOM;c:\windows\System32\Drivers\flsvcom.sys [2006-03-16 32666]
S2 FolderProtectService;FolderProtectService;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 10240]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2008-06-28 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2008-06-28 555032]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2008-06-28 566296]

.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-06-01 01:38]

2009-04-13 c:\windows\Tasks\Windows Update.job
- c:\windows\system32\wupdmgr.exe [2001-08-23 12:00]

2009-04-10 c:\windows\Tasks\{4342A474-C820-458C-B862-E30B345D88FF}_WARNOG_Joshua.job
- c:\windows\system32\mobsync.exe [2001-08-23 12:00]

2009-04-02 c:\windows\Tasks\{8A343302-4B09-468C-A727-4FD2D170244F}_WARNOG_Joshua.job
- c:\windows\system32\mobsync.exe [2001-08-23 12:00]

2009-04-13 c:\windows\Tasks\{B37E7A09-FBE3-4DF2-8782-D7701EA5289C}_WARNOG_Joshua.job
- c:\windows\system32\mobsync.exe [2001-08-23 12:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5d84ff39-c9c0-4a88-ac86-9b0bbae5d636} - c:\windows\System32\suzezufu.dll
HKLM-Run-zisepinasi - c:\windows\System32\suwidusu.dll
HKLM-Run-6c51e054 - c:\windows\System32\lipoyiya.dll
SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Trusted Zone: aol.com\free
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joshua\Application Data\Mozilla\Firefox\Profiles\k12m1ust.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|https://cas.csuchico.edu/cas/login?service=https://portal.csuchico.edu/uPortal/Login
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={E57424C4-267D-AC45-EFD4-A8A914BEC8C8}&q=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 09:58
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSSdk21]
"ImagePath"="\??\c:\windows\System32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSSdk23]
"ImagePath"="\??\c:\windows\System32\Drivers\PsSdk23.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\ODBC32.dll
c:\windows\system32\RASAPI32.dll

- - - - - - - > 'lsass.exe'(664)
c:\windows\system32\RASAPI32.dll
c:\windows\System32\dssenh.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 17:00

Pre-Run: 31,720,239,104 bytes free
Post-Run: 31,626,199,040 bytes free

299



ComboFix Quarantine List

2009-04-14 16:59:23 . 2009-04-14 16:59:23 614 ----a-w C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Lavasoft Ad-Aware Service.reg.dat
2009-04-14 16:59:16 . 2009-04-14 16:59:16 149 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-6c51e054.reg.dat
2009-04-14 16:59:16 . 2009-04-14 16:59:16 151 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-zisepinasi.reg.dat
2009-04-14 16:59:13 . 2009-04-14 16:59:13 374 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{5d84ff39-c9c0-4a88-ac86-9b0bbae5d636}.reg.dat
2009-04-10 04:18:33 . 2009-04-10 04:18:33 2,050 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2009-04-10 04:18:26 . 2009-04-14 16:58:23 16,461 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-10 04:15:07 . 2009-04-14 16:56:17 166 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-01 00:17:50 . 2009-04-01 00:39:21 1,403,710 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ayiyopil.ini.vir
2009-02-16 20:18:17 . 2009-02-16 20:18:17 61,440 ----a-w C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir
2009-01-23 19:46:33 . 2009-01-25 08:38:42 1,436,184 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\scavvayh.ini.vir
2009-01-22 19:43:41 . 2009-01-23 19:44:02 1,436,184 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\oqlmaoqs.ini.vir
2009-01-21 09:34:56 . 2009-01-22 19:41:04 1,436,184 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\domjfhyq.ini.vir
2009-01-20 09:31:16 . 2009-01-21 09:32:08 1,433,689 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\hfwiuasw.ini.vir
2009-01-19 09:29:07 . 2009-01-20 09:29:39 1,407,723 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\jlahrglt.ini.vir
2009-01-01 00:16:48 . 2009-04-01 00:17:14 106,496 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\sawikali.dll.vir
2008-04-15 20:31:14 . 2008-07-19 20:36:31 94 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\Cache\042AA379.vir
2007-11-21 07:03:43 . 2007-11-26 06:52:12 87,608 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Joshua\Application Data\inst.exe.vir
2007-07-12 18:49:37 . 2007-07-12 18:49:37 167 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\2.bin\PARTNER.DAT.vir
2007-07-12 18:49:36 . 2007-07-12 18:49:36 4,928 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\2.bin\N2NTSTBR.JAR.vir
2007-07-12 18:49:36 . 2007-07-12 18:49:36 4,793 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\2.bin\N2FFXTBR.JAR.vir
2005-08-02 21:24:02 . 2005-08-02 21:24:02 53,299 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
2005-08-02 21:18:46 . 2005-08-02 21:18:46 233,472 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2005-08-02 21:10:14 . 2005-08-02 21:10:14 32,512 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2005-08-02 21:08:10 . 2005-08-02 21:08:10 81,920 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2005-08-02 21:08:08 . 2005-08-02 21:08:08 61,440 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wanpacket.dll.vir
2005-06-14 20:18:33 . 2005-06-14 20:18:33 1,024 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\History\search.vir
2005-06-14 20:18:32 . 2007-07-27 04:42:05 31,904 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\Settings\prevcfg.htm.vir
2005-06-14 20:18:28 . 2008-07-19 20:37:42 100 ----a-w C:\Qoobox\Quarantine\C\Program Files\Need2Find\bar\Cache\files.ini.vir
2004-07-08 04:18:41 . 2004-07-08 04:18:41 286,720 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\PATCH.EXE.vir

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 15 April 2009 - 03:29 PM

Hello.

Please do the following.

Please delete Combofix you have on your desktop currently. Re-Download it from one of those links and save it to your desktop. After that run the script below.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\VundoFixSVC.exe
    C:\VundoFix.txt
    Folder::
    C:\VundoFix Backups
    C:\SDFix
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000000
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Browse to the following location and sumbit the file. (do one line at a time).
  • c:\windows\system32\user32.dll
  • c:\windows\system32\ntoskrnl.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back with:
-Combofix log
-2 Online scanner results
-MBAM log

With regards,
Eextremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 warnog

warnog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 17 April 2009 - 11:36 PM

For some reason i did the scripting like you said but it didn't do anything just sat at the blue blank window at combofix first start. However i did do the other 2 things as you said her are the logs.

a-squared 4.0.0.101 2009.04.17 -
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.17 -
Avast 4.8.1335.0 2009.04.16 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.17 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.17 -
Comodo 1117 2009.04.17 -
DrWeb 4.44.0.09170 2009.04.17 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.16 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.17 -
GData 19 2009.04.17 -
Ikarus T3.1.1.49.0 2009.04.17 -
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.17 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.17 -
Microsoft 1.4502 2009.04.17 -
NOD32 4017 2009.04.17 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.17 -
Panda 10.0.0.14 2009.04.17 -
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.17 -
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.17 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.17 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -
Additional information
File size: 528896 bytes
MD5...: 1bd18b332a07fd10bf0322c352a78078
SHA1..: e1b5d44c563f92fc2153801b9bd82745263e8381
SHA256: e64d4586779aa7fdd7844660c2dd3d83fa629e919177a998c31be1bb61da7365
SHA512: 3585699d9cd251e56ee56a7fdba007adff4fc246f8a9c9004b57fde6fb89c483
a46067214216f1bbf42c5c092765c715091ff3d7a8b2716d80b7e868ff4556a8
ssdeep: 6144:7v6HXieIUMLEoZWKHNRyUFmxaPEaEnEaLBn1U/B2eLrmWguGIyKbCZVDx2m
ZTXTz:7KAguCUHcaWEaleDrmDuGIrCZ1Y
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc72e
timedatestamp.....: 0x3dde907e (Fri Nov 22 20:15:58 2002)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x53249 0x53400 6.70 ad68b1f91cc5e1272a23dc4c756f8160
.data 0x55000 0x1188 0x600 4.01 0a58519964375a5d7531402ebfc61c19
.rsrc 0x57000 0x2a090 0x2a200 4.97 ef156243e8ed109b1103debc1c8dade9
.reloc 0x82000 0x3024 0x3200 6.32 e3a9353f5a53fb32ea0d7b3d3dc05f01

( 3 imports )
> ntdll.dll: RtlUnwind, RtlNtStatusToDosError, NlsAnsiCodePage, RtlAllocateHeap, qsort, RtlMultiByteToUnicodeSize, LdrFlushAlternateResourceModules, RtlPcToFileHeader, wcsrchr, NtRaiseHardError, RtlIsNameLegalDOS8Dot3, strrchr, sscanf, NtQueryKey, NtEnumerateValueKey, RtlRunEncodeUnicodeString, RtlRunDecodeUnicodeString, _wcsicmp, CsrAllocateCaptureBuffer, CsrCaptureMessageBuffer, CsrFreeCaptureBuffer, NtOpenThreadToken, NtOpenProcessToken, NtQueryInformationToken, CsrClientCallServer, memmove, NtCallbackReturn, RtlUnicodeToMultiByteSize, RtlActivateActivationContextUnsafeFast, RtlDeactivateActivationContextUnsafeFast, RtlInitializeCriticalSection, NtQuerySystemInformation, swprintf, RtlDeleteCriticalSection, RtlImageNtHeader, CsrClientConnectToServer, NtYieldExecution, NtCreateKey, NtSetValueKey, NtDeleteValueKey, RtlQueryInformationActiveActivationContext, RtlReleaseActivationContext, RtlWalkFrameChain, RtlFreeHeap, wcsncpy, wcscmp, wcstoul, wcscat, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlCreateUnicodeStringFromAsciiz, RtlFreeUnicodeString, NtOpenDirectoryObject, _chkstk, wcscpy, wcsncat, NtSetSecurityObject, NtQuerySecurityObject, NtQueryInformationProcess, wcstol, wcslen, RtlFindActivationContextSectionString, RtlMultiByteToUnicodeN, RtlUnicodeToMultiByteN, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlOpenCurrentUser, NtEnumerateKey, NtOpenKey, NtClose, NtQueryValueKey, RtlInitUnicodeString, RtlUnicodeStringToInteger
> KERNEL32.dll: LocalSize, RegisterWaitForInputIdle, SizeofResource, LoadResource, FindResourceExW, FindResourceExA, GetModuleHandleW, DisableThreadLibraryCalls, GetCurrentThreadId, IsDBCSLeadByteEx, SearchPathW, ExpandEnvironmentStringsW, LoadLibraryExW, GlobalAddAtomW, GetSystemDirectoryW, GetComputerNameW, GetCurrentProcess, GetCurrentThread, ExitThread, GetExitCodeThread, CreateThread, HeapReAlloc, GlobalHandle, FoldStringW, Sleep, GetStringTypeW, GetStringTypeA, GetCPInfo, HeapSize, CloseHandle, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetFileSize, ReadFile, SetFileTime, GetFileTime, GetSystemWindowsDirectoryW, CopyFileW, MoveFileW, DeleteFileW, CreateProcessW, AddAtomA, AddAtomW, GetAtomNameW, GetAtomNameA, IsValidLocale, ConvertDefaultLocale, CompareStringW, GetCurrentDirectoryW, SetCurrentDirectoryW, lstrlenW, GetLogicalDrives, FindClose, FindNextFileW, FindFirstFileW, GetThreadLocale, VirtualFree, ProcessIdToSessionId, GetCurrentProcessId, InterlockedCompareExchange, IsDBCSLeadByte, LCMapStringW, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount, lstrlenA, GlobalFindAtomA, GetModuleFileNameA, GetModuleHandleA, GlobalAddAtomA, DelayLoadFailureHook, LoadLibraryA, LocalLock, LocalReAlloc, GetACP, GetOEMCP, InterlockedIncrement, InterlockedDecrement, SetLastError, GlobalFindAtomW, GlobalAlloc, MultiByteToWideChar, GlobalReAlloc, GetLastError, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpynW, CreateFileW, WritePrivateProfileStringW, lstrcmpiW, SetEvent, WaitForMultipleObjectsEx, WideCharToMultiByte, GlobalFlags, GetLocaleInfoW, GlobalFree, GetModuleFileNameW, GlobalGetAtomNameW, GlobalGetAtomNameA, InterlockedExchange, DeleteAtom, LocalAlloc, GlobalDeleteAtom, LocalFree, GlobalSize, GlobalLock, GlobalUnlock, GetUserDefaultLCID, HeapAlloc, HeapFree, lstrcpyW, lstrcatW, GetPrivateProfileStringW, LocalUnlock
> GDI32.dll: GetClipRgn, ExtSelectClipRgn, GetHFONT, GetMapMode, SetGraphicsMode, GetClipBox, CreateRectRgn, CreateRectRgnIndirect, SetLayout, GetBoundsRect, ExcludeClipRect, PlayEnhMetaFile, CreatePen, Ellipse, CreateEllipticRgn, GdiFixUpHandle, GetTextCharacterExtra, SetTextCharacterExtra, GetCurrentObject, GetViewportOrgEx, SetViewportOrgEx, PolyPatBlt, CreateBrushIndirect, SetBoundsRect, CopyEnhMetaFileW, CopyMetaFileW, GetPaletteEntries, CreatePalette, SetPaletteEntries, bInitSystemAndFontsDirectoriesW, bMakePathNameW, cGetTTFFromFOT, GetPixel, ExtTextOutA, GetTextCharsetInfo, QueryFontAssocStatus, GetCharWidthInfo, GetCharWidthA, GetTextFaceW, GetCharABCWidthsA, GetCharABCWidthsW, SetBrushOrgEx, CreateFontIndirectW, EnumFontsW, GetTextFaceAliasW, GetTextMetricsW, GetTextColor, GetBkMode, GetViewportExtEx, GetWindowExtEx, GdiGetCharDimensions, GdiGetCodePage, GetTextCharset, GdiPrinterThunk, GdiAddFontResourceW, TranslateCharsetInfo, SaveDC, OffsetWindowOrgEx, RestoreDC, ExtTextOutW, GetObjectType, GetDIBits, CreateDIBSection, SetStretchBltMode, SelectPalette, RealizePalette, SetDIBits, CreateDCW, CreateDIBitmap, CreateCompatibleBitmap, SetBitmapBits, DeleteDC, GdiValidateHandle, GdiProcessSetup, CreateSolidBrush, GetStockObject, CreateCompatibleDC, GdiConvertBitmapV5, GdiCreateLocalEnhMetaFile, GdiCreateLocalMetaFilePict, GetRgnBox, CombineRgn, OffsetRgn, MirrorRgn, EnableEUDC, GdiConvertToDevmodeW, GetTextExtentPointA, GetTextExtentPointW, CreateBitmap, SetLayoutWidth, PatBlt, TextOutA, TextOutW, BitBlt, GdiConvertAndCheckDC, StretchBlt, SetRectRgn, GdiReleaseDC, GdiConvertEnhMetaFile, GdiConvertMetaFilePict, DeleteEnhMetaFile, DeleteMetaFile, DeleteObject, GetDIBColorTable, GetDeviceCaps, StretchDIBits, GetLayout, SetBkColor, SetTextColor, GetObjectW, GetBkColor, SetBkMode, SelectObject, IntersectClipRect, GetTextAlign, SetTextAlign, GdiDllInitialize

( 732 exports )
ActivateKeyboardLayout, AdjustWindowRect, AdjustWindowRectEx, AlignRects, AllowForegroundActivation, AllowSetForegroundWindow, AnimateWindow, AnyPopup, AppendMenuA, AppendMenuW, ArrangeIconicWindows, AttachThreadInput, BeginDeferWindowPos, BeginPaint, BlockInput, BringWindowToTop, BroadcastSystemMessage, BroadcastSystemMessageA, BroadcastSystemMessageExA, BroadcastSystemMessageExW, BroadcastSystemMessageW, BuildReasonArray, CalcMenuBar, CallMsgFilter, CallMsgFilterA, CallMsgFilterW, CallNextHookEx, CallWindowProcA, CallWindowProcW, CascadeChildWindows, CascadeWindows, ChangeClipboardChain, ChangeDisplaySettingsA, ChangeDisplaySettingsExA, ChangeDisplaySettingsExW, ChangeDisplaySettingsW, ChangeMenuA, ChangeMenuW, CharLowerA, CharLowerBuffA, CharLowerBuffW, CharLowerW, CharNextA, CharNextExA, CharNextW, CharPrevA, CharPrevExA, CharPrevW, CharToOemA, CharToOemBuffA, CharToOemBuffW, CharToOemW, CharUpperA, CharUpperBuffA, CharUpperBuffW, CharUpperW, CheckDlgButton, CheckMenuItem, CheckMenuRadioItem, CheckRadioButton, ChildWindowFromPoint, ChildWindowFromPointEx, CliImmSetHotKey, ClientThreadSetup, ClientToScreen, ClipCursor, CloseClipboard, CloseDesktop, CloseWindow, CloseWindowStation, CopyAcceleratorTableA, CopyAcceleratorTableW, CopyIcon, CopyImage, CopyRect, CountClipboardFormats, CreateAcceleratorTableA, CreateAcceleratorTableW, CreateCaret, CreateCursor, CreateDesktopA, CreateDesktopW, CreateDialogIndirectParamA, CreateDialogIndirectParamAorW, CreateDialogIndirectParamW, CreateDialogParamA, CreateDialogParamW, CreateIcon, CreateIconFromResource, CreateIconFromResourceEx, CreateIconIndirect, CreateMDIWindowA, CreateMDIWindowW, CreateMenu, CreatePopupMenu, CreateSystemThreads, CreateWindowExA, CreateWindowExW, CreateWindowStationA, CreateWindowStationW, CsrBroadcastSystemMessageExW, CtxInitUser32, DdeAbandonTransaction, DdeAccessData, DdeAddData, DdeClientTransaction, DdeCmpStringHandles, DdeConnect, DdeConnectList, DdeCreateDataHandle, DdeCreateStringHandleA, DdeCreateStringHandleW, DdeDisconnect, DdeDisconnectList, DdeEnableCallback, DdeFreeDataHandle, DdeFreeStringHandle, DdeGetData, DdeGetLastError, DdeGetQualityOfService, DdeImpersonateClient, DdeInitializeA, DdeInitializeW, DdeKeepStringHandle, DdeNameService, DdePostAdvise, DdeQueryConvInfo, DdeQueryNextServer, DdeQueryStringA, DdeQueryStringW, DdeReconnect, DdeSetQualityOfService, DdeSetUserHandle, DdeUnaccessData, DdeUninitialize, DefDlgProcA, DefDlgProcW, DefFrameProcA, DefFrameProcW, DefMDIChildProcA, DefMDIChildProcW, DefRawInputProc, DefWindowProcA, DefWindowProcW, DeferWindowPos, DeleteMenu, DeregisterShellHookWindow, DestroyAcceleratorTable, DestroyCaret, DestroyCursor, DestroyIcon, DestroyMenu, DestroyReasons, DestroyWindow, DeviceEventWorker, DialogBoxIndirectParamA, DialogBoxIndirectParamAorW, DialogBoxIndirectParamW, DialogBoxParamA, DialogBoxParamW, DisableProcessWindowsGhosting, DispatchMessageA, DispatchMessageW, DisplayExitWindowsWarnings, DlgDirListA, DlgDirListComboBoxA, DlgDirListComboBoxW, DlgDirListW, DlgDirSelectComboBoxExA, DlgDirSelectComboBoxExW, DlgDirSelectExA, DlgDirSelectExW, DragDetect, DragObject, DrawAnimatedRects, DrawCaption, DrawCaptionTempA, DrawCaptionTempW, DrawEdge, DrawFocusRect, DrawFrame, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawMenuBarTemp, DrawStateA, DrawStateW, DrawTextA, DrawTextExA, DrawTextExW, DrawTextW, EditWndProc, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndDeferWindowPos, EndDialog, EndMenu, EndPaint, EndTask, EnterReaderModeHelper, EnumChildWindows, EnumClipboardFormats, EnumDesktopWindows, EnumDesktopsA, EnumDesktopsW, EnumDisplayDevicesA, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsA, EnumDisplaySettingsExA, EnumDisplaySettingsExW, EnumDisplaySettingsW, EnumPropsA, EnumPropsExA, EnumPropsExW, EnumPropsW, EnumThreadWindows, EnumWindowStationsA, EnumWindowStationsW, EnumWindows, EqualRect, ExcludeUpdateRgn, ExitWindowsEx, FillRect, FindWindowA, FindWindowExA, FindWindowExW, FindWindowW, FlashWindow, FlashWindowEx, FrameRect, FreeDDElParam, GetActiveWindow, GetAltTabInfo, GetAltTabInfoA, GetAltTabInfoW, GetAncestor, GetAppCompatFlags, GetAppCompatFlags2, GetAsyncKeyState, GetCapture, GetCaretBlinkTime, GetCaretPos, GetClassInfoA, GetClassInfoExA, GetClassInfoExW, GetClassInfoW, GetClassLongA, GetClassLongW, GetClassNameA, GetClassNameW, GetClassWord, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardFormatNameA, GetClipboardFormatNameW, GetClipboardOwner, GetClipboardSequenceNumber, GetClipboardViewer, GetComboBoxInfo, GetCursor, GetCursorFrameInfo, GetCursorInfo, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDialogBaseUnits, GetDlgCtrlID, GetDlgItem, GetDlgItemInt, GetDlgItemTextA, GetDlgItemTextW, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetGUIThreadInfo, GetGuiResources, GetIconInfo, GetInputDesktop, GetInputState, GetInternalWindowPos, GetKBCodePage, GetKeyNameTextA, GetKeyNameTextW, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameA, GetKeyboardLayoutNameW, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetLastInputInfo, GetLayeredWindowAttributes, GetListBoxInfo, GetMenu, GetMenuBarInfo, GetMenuCheckMarkDimensions, GetMenuContextHelpId, GetMenuDefaultItem, GetMenuInfo, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuItemInfoW, GetMenuItemRect, GetMenuState, GetMenuStringA, GetMenuStringW, GetMessageA, GetMessageExtraInfo, GetMessagePos, GetMessageTime, GetMessageW, GetMonitorInfoA, GetMonitorInfoW, GetMouseMovePointsEx, GetNextDlgGroupItem, GetNextDlgTabItem, GetOpenClipboardWindow, GetParent, GetPriorityClipboardFormat, GetProcessDefaultLayout, GetProcessWindowStation, GetProgmanWindow, GetPropA, GetPropW, GetQueueStatus, GetRawInputBuffer, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceInfoW, GetRawInputDeviceList, GetReasonTitleFromReasonCode, GetRegisteredRawInputDevices, GetScrollBarInfo, GetScrollInfo, GetScrollPos, GetScrollRange, GetShellWindow, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTabbedTextExtentA, GetTabbedTextExtentW, GetTaskmanWindow, GetThreadDesktop, GetTitleBarInfo, GetTopWindow, GetUpdateRect, GetUpdateRgn, GetUserObjectInformationA, GetUserObjectInformationW, GetUserObjectSecurity, GetWinStationInfo, GetWindow, GetWindowContextHelpId, GetWindowDC, GetWindowInfo, GetWindowLongA, GetWindowLongW, GetWindowModuleFileName, GetWindowModuleFileNameA, GetWindowModuleFileNameW, GetWindowPlacement, GetWindowRect, GetWindowRgn, GetWindowRgnBox, GetWindowTextA, GetWindowTextLengthA, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, GetWindowWord, GrayStringA, GrayStringW, HideCaret, HiliteMenuItem, IMPGetIMEA, IMPGetIMEW, IMPQueryIMEA, IMPQueryIMEW, IMPSetIMEA, IMPSetIMEW, ImpersonateDdeClientWindow, InSendMessage, InSendMessageEx, InflateRect, InitializeLpkHooks, InitializeWin32EntryTable, InsertMenuA, InsertMenuItemA, InsertMenuItemW, InsertMenuW, InternalGetWindowText, IntersectRect, InvalidateRect, InvalidateRgn, InvertRect, IsCharAlphaA, IsCharAlphaNumericA, IsCharAlphaNumericW, IsCharAlphaW, IsCharLowerA, IsCharLowerW, IsCharUpperA, IsCharUpperW, IsChild, IsClipboardFormatAvailable, IsDialogMessage, IsDialogMessageA, IsDialogMessageW, IsDlgButtonChecked, IsGUIThread, IsHungAppWindow, IsIconic, IsMenu, IsRectEmpty, IsServerSideWindow, IsWinEventHookInstalled, IsWindow, IsWindowEnabled, IsWindowInDestroy, IsWindowUnicode, IsWindowVisible, IsZoomed, KillSystemTimer, KillTimer, LoadAcceleratorsA, LoadAcceleratorsW, LoadBitmapA, LoadBitmapW, LoadCursorA, LoadCursorFromFileA, LoadCursorFromFileW, LoadCursorW, LoadIconA, LoadIconW, LoadImageA, LoadImageW, LoadKeyboardLayoutA, LoadKeyboardLayoutEx, LoadKeyboardLayoutW, LoadLocalFonts, LoadMenuA, LoadMenuIndirectA, LoadMenuIndirectW, LoadMenuW, LoadRemoteFonts, LoadStringA, LoadStringW, LockSetForegroundWindow, LockWindowStation, LockWindowUpdate, LockWorkStation, LookupIconIdFromDirectory, LookupIconIdFromDirectoryEx, MBToWCSEx, MB_GetString, MapDialogRect, MapVirtualKeyA, MapVirtualKeyExA, MapVirtualKeyExW, MapVirtualKeyW, MapWindowPoints, MenuItemFromPoint, MenuWindowProcA, MenuWindowProcW, MessageBeep, MessageBoxA, MessageBoxExA, MessageBoxExW, MessageBoxIndirectA, MessageBoxIndirectW, MessageBoxTimeoutA, MessageBoxTimeoutW, MessageBoxW, ModifyMenuA, ModifyMenuW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MoveWindow, MsgWaitForMultipleObjects, MsgWaitForMultipleObjectsEx, NotifyWinEvent, OemKeyScan, OemToCharA, OemToCharBuffA, OemToCharBuffW, OemToCharW, OffsetRect, OpenClipboard, OpenDesktopA, OpenDesktopW, OpenIcon, OpenInputDesktop, OpenWindowStationA, OpenWindowStationW, PackDDElParam, PaintDesktop, PaintMenuBar, PeekMessageA, PeekMessageW, PostMessageA, PostMessageW, PostQuitMessage, PostThreadMessageA, PostThreadMessageW, PrintWindow, PrivateExtractIconExA, PrivateExtractIconExW, PrivateExtractIconsA, PrivateExtractIconsW, PrivateSetDbgTag, PrivateSetRipFlags, PtInRect, QuerySendMessage, QueryUserCounters, RealChildWindowFromPoint, RealGetWindowClass, RealGetWindowClassA, RealGetWindowClassW, ReasonCodeNeedsBugID, ReasonCodeNeedsComment, RecordShutdownReason, RedrawWindow, RegisterClassA, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterClipboardFormatA, RegisterClipboardFormatW, RegisterDeviceNotificationA, RegisterDeviceNotificationW, RegisterHotKey, RegisterLogonProcess, RegisterMessagePumpHook, RegisterRawInputDevices, RegisterServicesProcess, RegisterShellHookWindow, RegisterSystemThread, RegisterTasklist, RegisterUserApiHook, RegisterWindowMessageA, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, RemovePropW, ReplyMessage, ResolveDesktopForWOW, ReuseDDElParam, ScreenToClient, ScrollChildren, ScrollDC, ScrollWindow, ScrollWindowEx, SendDlgItemMessageA, SendDlgItemMessageW, SendIMEMessageExA, SendIMEMessageExW, SendInput, SendMessageA, SendMessageCallbackA, SendMessageCallbackW, SendMessageTimeoutA, SendMessageTimeoutW, SendMessageW, SendNotifyMessageA, SendNotifyMessageW, SetActiveWindow, SetCapture, SetCaretBlinkTime, SetCaretPos, SetClassLongA, SetClassLongW, SetClassWord, SetClipboardData, SetClipboardViewer, SetConsoleReserveKeys, SetCursor, SetCursorContents, SetCursorPos, SetDebugErrorLevel, SetDeskWallpaper, SetDlgItemInt, SetDlgItemTextA, SetDlgItemTextW, SetDoubleClickTime, SetFocus, SetForegroundWindow, SetInternalWindowPos, SetKeyboardState, SetLastErrorEx, SetLayeredWindowAttributes, SetLogonNotifyWindow, SetMenu, SetMenuContextHelpId, SetMenuDefaultItem, SetMenuInfo, SetMenuItemBitmaps, SetMenuItemInfoA, SetMenuItemInfoW, SetMessageExtraInfo, SetMessageQueue, SetParent, SetProcessDefaultLayout, SetProcessWindowStation, SetProgmanWindow, SetPropA, SetPropW, SetRect, SetRectEmpty, SetScrollInfo, SetScrollPos, SetScrollRange, SetShellWindow, SetShellWindowEx, SetSysColors, SetSysColorsTemp, SetSystemCursor, SetSystemMenu, SetSystemTimer, SetTaskmanWindow, SetThreadDesktop, SetTimer, SetUserObjectInformationA, SetUserObjectInformationW, SetUserObjectSecurity, SetWinEventHook, SetWindowContextHelpId, SetWindowLongA, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowStationUser, SetWindowTextA, SetWindowTextW, SetWindowWord, SetWindowsHookA, SetWindowsHookExA, SetWindowsHookExW, SetWindowsHookW, ShowCaret, ShowCursor, ShowOwnedPopups, ShowScrollBar, ShowStartGlass, ShowWindow, ShowWindowAsync, SoftModalMessageBox, SubtractRect, SwapMouseButton, SwitchDesktop, SwitchToThisWindow, SystemParametersInfoA, SystemParametersInfoW, TabbedTextOutA, TabbedTextOutW, TileChildWindows, TileWindows, ToAscii, ToAsciiEx, ToUnicode, ToUnicodeEx, TrackMouseEvent, TrackPopupMenu, TrackPopupMenuEx, TranslateAccelerator, TranslateAcceleratorA, TranslateAcceleratorW, TranslateMDISysAccel, TranslateMessage, TranslateMessageEx, UnhookWinEvent, UnhookWindowsHook, UnhookWindowsHookEx, UnionRect, UnloadKeyboardLayout, UnlockWindowStation, UnpackDDElParam, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, UnregisterHotKey, UnregisterMessagePumpHook, UnregisterUserApiHook, UpdateLayeredWindow, UpdatePerUserSystemParameters, UpdateWindow, User32InitializeImmEntryTable, UserClientDllInitialize, UserHandleGrantAccess, UserLpkPSMTextOut, UserLpkTabbedTextOut, UserRealizePalette, UserRegisterWowHandlers, VRipOutput, VTagOutput, ValidateRect, ValidateRgn, VkKeyScanA, VkKeyScanExA, VkKeyScanExW, VkKeyScanW, WCSToMBEx, WINNLSEnableIME, WINNLSGetEnableStatus, WINNLSGetIMEHotkey, WaitForInputIdle, WaitMessage, Win32PoolAllocationStats, WinHelpA, WinHelpW, WindowFromDC, WindowFromPoint, keybd_event, mouse_event, wsprintfA, wsprintfW, wvsprintfA, wvsprintfW
RDS...: NSRL Reference Data Set




a-squared 4.0.0.101 2009.04.18 -
AhnLab-V3 5.0.0.2 2009.04.17 -
AntiVir 7.9.0.143 2009.04.17 -
Antiy-AVL 2.0.3.1 2009.04.17 -
Authentium 5.1.2.4 2009.04.18 -
Avast 4.8.1335.0 2009.04.17 -
AVG 8.5.0.287 2009.04.17 -
BitDefender 7.2 2009.04.18 -
CAT-QuickHeal 10.00 2009.04.17 -
ClamAV 0.94.1 2009.04.18 -
Comodo 1117 2009.04.17 -
DrWeb 4.44.0.09170 2009.04.18 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.17 -
F-Secure 8.0.14470.0 2009.04.17 -
Fortinet 3.117.0.0 2009.04.18 -
GData 19 2009.04.18 -
Ikarus T3.1.1.49.0 2009.04.18 -
K7AntiVirus 7.10.707 2009.04.17 -
Kaspersky 7.0.0.125 2009.04.18 -
McAfee 5587 2009.04.17 -
McAfee+Artemis 5587 2009.04.17 -
McAfee-GW-Edition 6.7.6 2009.04.18 -
Microsoft 1.4502 2009.04.17 -
NOD32 4018 2009.04.18 -
Norman 6.00.06 2009.04.17 -
nProtect 2009.1.8.0 2009.04.18 -
Panda 10.0.0.14 2009.04.17 -
PCTools 4.4.2.0 2009.04.17 -
Prevx1 V2 2009.04.18 -
Rising 21.25.44.00 2009.04.17 -
Sophos 4.40.0 2009.04.18 -
Sunbelt 3.2.1858.2 2009.04.17 -
Symantec 1.4.4.12 2009.04.18 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.17 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.17.1698 2009.04.17 -
VirusBuster 4.6.5.0 2009.04.17 -
Additional information
File size: 1879936 bytes
MD5...: db499be143d626fc8778be7e18185eb3
SHA1..: 969bcadfd6cc13c22f938880e5e24ea3aa6c855d
SHA256: 86264cc3294a33998f28ff141ebf9c33df634d9ec046375d30c263ec92c4ddb7
SHA512: b19944abb9a488f7e0590c30d249d6e62d903c06f12087ade775eeb0be8b1bad
f7ad380f85237cdaf961a408b295f2966d5af4be25b0cbb053e0e911a0f001ad
ssdeep: 24576:3w47CSgqaGrJXD4WHVZm3r2umzl2TbH2+iDDtVGfv9QDtvNAaFXuJCk1Xo
Kqqcod:3DTykoMDnVtvKa4bXoK/e2GMgrQ
PEiD..: -
TrID..: File type identification
OS/2 Executable (generic) (52.8%)
Win32 Executable Generic (32.0%)
Generic Win/DOS Executable (7.5%)
DOS Executable Generic (7.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x190dc8
timedatestamp.....: 0x3df93310 (Fri Dec 13 01:08:32 2002)
machinetype.......: 0x14c (I386)

( 21 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x580 0x5cf30 0x5cf80 6.62 3c345a20f2ec810a329a116a8d229489
POOLMI 0x5d500 0xfb3 0x1000 6.38 98922f300ada8ea8c43696f0e7c2af6a
MISYSPTE 0x5e500 0x5f6 0x600 6.43 02dd0cb6e93a372980fa3b5264abd5fe
POOLCODE 0x5eb00 0x1236 0x1280 6.50 bcc52b1c77bc3755bc42842105eb7740
.data 0x5fd80 0x12860 0x12880 0.57 7a5ea08284dcae0345389fee95849900
PAGE 0x72600 0xd5046 0xd5080 6.62 aec07c67f336727120e7f9ba37d8b54f
PAGELK 0x147680 0xd574 0xd580 6.77 df3cce81001b73350596ab322443dc84
PAGEVRFY 0x154c00 0xdfc2 0xe000 6.72 ff5f78fc77283f2a03c08a2d1958df23
PAGEWMI 0x162c00 0x1629 0x1680 6.45 6ba1a666d42bd586f7554a094753c44e
PAGEKD 0x164280 0x3a6d 0x3a80 6.55 d6b1b50449ac882a822b444876a7345b
PAGESPEC 0x167d00 0xa7e 0xa80 6.46 1e6c820ac03ff7af3df1e2a10fd2d8ac
PAGEHDLS 0x168780 0x1d1d 0x1d80 6.19 deabc6ff564c0da819a45d42d6a21a32
.edata 0x16a500 0xb173 0xb180 6.02 dab01a5065001c4e113739e4c165747e
PAGEDATA 0x175680 0x1590 0x1600 2.65 d632efbd37ac2df876ce81193053d911
PAGEKD 0x176c80 0xc021 0xc080 0.00 a58f2f3dbc3c5c3fc26062204e07bc29
PAGECONS 0x182d00 0x18c 0x200 2.23 4b7153bc852b3374f095f9e4dccc3431
PAGEVRFC 0x182f00 0x341d 0x3480 5.23 eb118ca798eaa7356bb11059f72ca3a9
PAGEVRFD 0x186380 0x648 0x680 2.72 fce61d4cfadb64d352be0337b51fd75c
INIT 0x186a00 0x27d4a 0x27d80 6.51 1c8ce67003f905c5c76c590e9f0e333a
.rsrc 0x1ae780 0xd208 0xd280 5.72 0a9030d1465ee35d533b527e0f825ca6
.reloc 0x1bba00 0xf518 0xf580 6.71 fc4aa24063e16ed22ccf2a9ac108ca61

( 3 imports )
> HAL.dll: HalReportResourceUsage, HalAllProcessorsStarted, HalQueryRealTimeClock, HalAllocateAdapterChannel, KeStallExecutionProcessor, HalTranslateBusAddress, KfReleaseSpinLock, KfAcquireSpinLock, HalGetBusDataByOffset, HalSetBusDataByOffset, KeQueryPerformanceCounter, HalReturnToFirmware, READ_PORT_UCHAR, READ_PORT_USHORT, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_USHORT, WRITE_PORT_ULONG, HalInitializeProcessor, HalCalibratePerformanceCounter, HalSetRealTimeClock, HalHandleNMI, HalBeginSystemInterrupt, HalEndSystemInterrupt, KeRaiseIrqlToSynchLevel, KeAcquireInStackQueuedSpinLockRaiseToSynch, HalInitSystem, HalDisableSystemInterrupt, HalEnableSystemInterrupt, KeRaiseIrql, KeLowerIrql, HalClearSoftwareInterrupt, KeReleaseSpinLock, KeAcquireSpinLock, ExTryToAcquireFastMutex, KeAcquireSpinLockRaiseToSynch, KeFlushWriteBuffer, HalProcessorIdle, HalReadDmaCounter, IoMapTransfer, IoFreeMapRegisters, IoFreeAdapterChannel, IoFlushAdapterBuffers, HalFreeCommonBuffer, HalAllocateCommonBuffer, HalAllocateCrashDumpRegisters, HalGetAdapter, HalSetTimeIncrement, HalGetEnvironmentVariable, HalSetEnvironmentVariable, KfRaiseIrql, HalGetInterruptVector, KeGetCurrentIrql, HalRequestSoftwareInterrupt, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeRaiseIrqlToDpcLevel, HalSystemVectorDispatchEntry, KfLowerIrql, HalStartProfileInterrupt, HalSetProfileInterval, HalStopProfileInterrupt
> BOOTVID.dll: VidInitialize, VidDisplayString, VidSetTextColor, VidSolidColorFill, VidBitBlt, VidBufferToScreenBlt, VidScreenToBufferBlt, VidResetDisplay, VidCleanUp, VidSetScrollRegion
> KDCOM.dll: KdD0Transition, KdD3Transition, KdRestore, KdReceivePacket, KdDebuggerInitialize0, KdSave, KdDebuggerInitialize1, KdSendPacket

( 1458 exports )
CcCanIWrite, CcCopyRead, CcCopyWrite, CcDeferWrite, CcFastCopyRead, CcFastCopyWrite, CcFastMdlReadWait, CcFastReadNotPossible, CcFastReadWait, CcFlushCache, CcGetDirtyPages, CcGetFileObjectFromBcb, CcGetFileObjectFromSectionPtrs, CcGetFlushedValidData, CcGetLsnForFileObject, CcInitializeCacheMap, CcIsThereDirtyData, CcMapData, CcMdlRead, CcMdlReadComplete, CcMdlWriteAbort, CcMdlWriteComplete, CcPinMappedData, CcPinRead, CcPrepareMdlWrite, CcPreparePinWrite, CcPurgeCacheSection, CcRemapBcb, CcRepinBcb, CcScheduleReadAhead, CcSetAdditionalCacheAttributes, CcSetBcbOwnerPointer, CcSetDirtyPageThreshold, CcSetDirtyPinnedData, CcSetFileSizes, CcSetLogHandleForFile, CcSetReadAheadGranularity, CcUninitializeCacheMap, CcUnpinData, CcUnpinDataForThread, CcUnpinRepinnedBcb, CcWaitForCurrentLazyWriterActivity, CcZeroData, CmRegisterCallback, CmUnRegisterCallback, DbgBreakPoint, DbgBreakPointWithStatus, DbgLoadImageSymbols, DbgPrint, DbgPrintEx, DbgPrintReturnControlC, DbgPrompt, DbgQueryDebugFilterState, DbgSetDebugFilterState, ExAcquireFastMutexUnsafe, ExAcquireResourceExclusiveLite, ExAcquireResourceSharedLite, ExAcquireRundownProtection, ExAcquireSharedStarveExclusive, ExAcquireSharedWaitForExclusive, ExAllocateFromPagedLookasideList, ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority, ExConvertExclusiveToSharedLite, ExCreateCallback, ExDeleteNPagedLookasideList, ExDeletePagedLookasideList, ExDeleteResourceLite, ExDesktopObjectType, ExDisableResourceBoostLite, ExEnumHandleTable, ExEventObjectType, ExExtendZone, ExFreePool, ExFreePoolWithTag, ExFreeToPagedLookasideList, ExGetCurrentProcessorCounts, ExGetCurrentProcessorCpuUsage, ExGetExclusiveWaiterCount, ExGetPreviousMode, ExGetSharedWaiterCount, ExInitializeNPagedLookasideList, ExInitializePagedLookasideList, ExInitializeResourceLite, ExInitializeRundownProtection, ExInitializeZone, ExInterlockedAddLargeInteger, ExInterlockedAddLargeStatistic, ExInterlockedAddUlong, ExInterlockedCompareExchange64, ExInterlockedDecrementLong, ExInterlockedExchangeUlong, ExInterlockedExtendZone, ExInterlockedFlushSList, ExInterlockedIncrementLong, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedPopEntryList, ExInterlockedPopEntrySList, ExInterlockedPushEntryList, ExInterlockedPushEntrySList, ExInterlockedRemoveHeadList, ExIsProcessorFeaturePresent, ExIsResourceAcquiredExclusiveLite, ExIsResourceAcquiredSharedLite, ExLocalTimeToSystemTime, ExNotifyCallback, ExQueryPoolBlockSize, ExQueueWorkItem, ExRaiseAccessViolation, ExRaiseDatatypeMisalignment, ExRaiseException, ExRaiseHardError, ExRaiseStatus, ExReInitializeRundownProtection, ExRegisterCallback, ExReinitializeResourceLite, ExReleaseFastMutexUnsafe, ExReleaseResourceForThreadLite, ExReleaseResourceLite, ExReleaseRundownProtection, ExRundownCompleted, ExSemaphoreObjectType, ExSetResourceOwnerPointer, ExSetTimerResolution, ExSystemExceptionFilter, ExSystemTimeToLocalTime, ExUnregisterCallback, ExUuidCreate, ExVerifySuite, ExWaitForRundownProtectionRelease, ExWindowStationObjectType, ExfInterlockedAddUlong, ExfInterlockedCompareExchange64, ExfInterlockedInsertHeadList, ExfInterlockedInsertTailList, ExfInterlockedPopEntryList, ExfInterlockedPushEntryList, ExfInterlockedRemoveHeadList, Exfi386InterlockedDecrementLong, Exfi386InterlockedExchangeUlong, Exfi386InterlockedIncrementLong, Exi386InterlockedDecrementLong, Exi386InterlockedExchangeUlong, Exi386InterlockedIncrementLong, FsRtlAcquireFileExclusive, FsRtlAddLargeMcbEntry, FsRtlAddMcbEntry, FsRtlAddToTunnelCache, FsRtlAllocateFileLock, FsRtlAllocatePool, FsRtlAllocatePoolWithQuota, FsRtlAllocatePoolWithQuotaTag, FsRtlAllocatePoolWithTag, FsRtlAllocateResource, FsRtlAreNamesEqual, FsRtlBalanceReads, FsRtlCheckLockForReadAccess, FsRtlCheckLockForWriteAccess, FsRtlCheckOplock, FsRtlCopyRead, FsRtlCopyWrite, FsRtlCurrentBatchOplock, FsRtlDeleteKeyFromTunnelCache, FsRtlDeleteTunnelCache, FsRtlDeregisterUncProvider, FsRtlDissectDbcs, FsRtlDissectName, FsRtlDoesDbcsContainWildCards, FsRtlDoesNameContainWildCards, FsRtlFastCheckLockForRead, FsRtlFastCheckLockForWrite, FsRtlFastUnlockAll, FsRtlFastUnlockAllByKey, FsRtlFastUnlockSingle, FsRtlFindInTunnelCache, FsRtlFreeFileLock, FsRtlGetFileSize, FsRtlGetNextFileLock, FsRtlGetNextLargeMcbEntry, FsRtlGetNextMcbEntry, FsRtlIncrementCcFastReadNoWait, FsRtlIncrementCcFastReadNotPossible, FsRtlIncrementCcFastReadResourceMiss, FsRtlIncrementCcFastReadWait, FsRtlInitializeFileLock, FsRtlInitializeLargeMcb, FsRtlInitializeMcb, FsRtlInitializeOplock, FsRtlInitializeTunnelCache, FsRtlInsertPerFileObjectContext, FsRtlInsertPerStreamContext, FsRtlIsDbcsInExpression, FsRtlIsFatDbcsLegal, FsRtlIsHpfsDbcsLegal, FsRtlIsNameInExpression, FsRtlIsNtstatusExpected, FsRtlIsPagingFile, FsRtlIsTotalDeviceFailure, FsRtlLegalAnsiCharacterArray, FsRtlLookupLargeMcbEntry, FsRtlLookupLastLargeMcbEntry, FsRtlLookupLastLargeMcbEntryAndIndex, FsRtlLookupLastMcbEntry, FsRtlLookupMcbEntry, FsRtlLookupPerFileObjectContext, FsRtlLookupPerStreamContextInternal, FsRtlMdlRead, FsRtlMdlReadComplete, FsRtlMdlReadCompleteDev, FsRtlMdlReadDev, FsRtlMdlWriteComplete, FsRtlMdlWriteCompleteDev, FsRtlNormalizeNtstatus, FsRtlNotifyChangeDirectory, FsRtlNotifyCleanup, FsRtlNotifyFilterChangeDirectory, FsRtlNotifyFilterReportChange, FsRtlNotifyFullChangeDirectory, FsRtlNotifyFullReportChange, FsRtlNotifyInitializeSync, FsRtlNotifyReportChange, FsRtlNotifyUninitializeSync, FsRtlNotifyVolumeEvent, FsRtlNumberOfRunsInLargeMcb, FsRtlNumberOfRunsInMcb, FsRtlOplockFsctrl, FsRtlOplockIsFastIoPossible, FsRtlPostPagingFileStackOverflow, FsRtlPostStackOverflow, FsRtlPrepareMdlWrite, FsRtlPrepareMdlWriteDev, FsRtlPrivateLock, FsRtlProcessFileLock, FsRtlRegisterFileSystemFilterCallbacks, FsRtlRegisterUncProvider, FsRtlReleaseFile, FsRtlRemoveLargeMcbEntry, FsRtlRemoveMcbEntry, FsRtlRemovePerFileObjectContext, FsRtlRemovePerStreamContext, FsRtlResetLargeMcb, FsRtlSplitLargeMcb, FsRtlSyncVolumes, FsRtlTeardownPerStreamContexts, FsRtlTruncateLargeMcb, FsRtlTruncateMcb, FsRtlUninitializeFileLock, FsRtlUninitializeLargeMcb, FsRtlUninitializeMcb, FsRtlUninitializeOplock, HalDispatchTable, HalExamineMBR, HalPrivateDispatchTable, HeadlessDispatch, InbvAcquireDisplayOwnership, InbvCheckDisplayOwnership, InbvDisplayString, InbvEnableBootDriver, InbvEnableDisplayString, InbvInstallDisplayStringFilter, InbvIsBootDriverInstalled, InbvNotifyDisplayOwnershipLost, InbvResetDisplay, InbvSetScrollRegion, InbvSetTextColor, InbvSolidColorFill, InitSafeBootMode, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, IoAcquireCancelSpinLock, IoAcquireRemoveLockEx, IoAcquireVpbSpinLock, IoAdapterObjectType, IoAllocateAdapterChannel, IoAllocateController, IoAllocateDriverObjectExtension, IoAllocateErrorLogEntry, IoAllocateIrp, IoAllocateMdl, IoAllocateWorkItem, IoAssignDriveLetters, IoAssignResources, IoAttachDevice, IoAttachDeviceByPointer, IoAttachDeviceToDeviceStack, IoAttachDeviceToDeviceStackSafe, IoBuildAsynchronousFsdRequest, IoBuildDeviceIoControlRequest, IoBuildPartialMdl, IoBuildSynchronousFsdRequest, IoCallDriver, IoCancelFileOpen, IoCancelIrp, IoCheckDesiredAccess, IoCheckEaBufferValidity, IoCheckFunctionAccess, IoCheckQuerySetFileInformation, IoCheckQuerySetVolumeInformation, IoCheckQuotaBufferValidity, IoCheckShareAccess, IoCompleteRequest, IoConnectInterrupt, IoCreateController, IoCreateDevice, IoCreateDisk, IoCreateDriver, IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, IoCreateNotificationEvent, IoCreateStreamFileObject, IoCreateStreamFileObjectEx, IoCreateStreamFileObjectLite, IoCreateSymbolicLink, IoCreateSynchronizationEvent, IoCreateUnprotectedSymbolicLink, IoCsqInitialize, IoCsqInsertIrp, IoCsqRemoveIrp, IoCsqRemoveNextIrp, IoDeleteController, IoDeleteDevice, IoDeleteDriver, IoDeleteSymbolicLink, IoDetachDevice, IoDeviceHandlerObjectSize, IoDeviceHandlerObjectType, IoDeviceObjectType, IoDisconnectInterrupt, IoDriverObjectType, IoEnqueueIrp, IoEnumerateDeviceObjectList, IoFastQueryNetworkAttributes, IoFileObjectType, IoForwardAndCatchIrp, IoForwardIrpSynchronously, IoFreeController, IoFreeErrorLogEntry, IoFreeIrp, IoFreeMdl, IoFreeWorkItem, IoGetAttachedDevice, IoGetAttachedDeviceReference, IoGetBaseFileSystemDeviceObject, IoGetBootDiskInformation, IoGetConfigurationInformation, IoGetCurrentProcess, IoGetDeviceAttachmentBaseRef, IoGetDeviceInterfaceAlias, IoGetDeviceInterfaces, IoGetDeviceObjectPointer, IoGetDeviceProperty, IoGetDeviceToVerify, IoGetDiskDeviceObject, IoGetDmaAdapter, IoGetDriverObjectExtension, IoGetFileObjectGenericMapping, IoGetInitialStack, IoGetLowerDeviceObject, IoGetRelatedDeviceObject, IoGetRequestorProcess, IoGetRequestorProcessId, IoGetRequestorSessionId, IoGetStackLimits, IoGetTopLevelIrp, IoInitializeIrp, IoInitializeRemoveLockEx, IoInitializeTimer, IoInvalidateDeviceRelations, IoInvalidateDeviceState, IoIsFileOriginRemote, IoIsOperationSynchronous, IoIsSystemThread, IoIsValidNameGraftingBuffer, IoIsWdmVersionAvailable, IoMakeAssociatedIrp, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, IoPageRead, IoPnPDeliverServicePowerNotification, IoQueryDeviceDescription, IoQueryFileDosDeviceName, IoQueryFileInformation, IoQueryVolumeInformation, IoQueueThreadIrp, IoQueueWorkItem, IoRaiseHardError, IoRaiseInformationalHardError, IoReadDiskSignature, IoReadOperationCount, IoReadPartitionTable, IoReadPartitionTableEx, IoReadTransferCount, IoRegisterBootDriverReinitialization, IoRegisterDeviceInterface, IoRegisterDriverReinitialization, IoRegisterFileSystem, IoRegisterFsRegistrationChange, IoRegisterLastChanceShutdownNotification, IoRegisterPlugPlayNotification, IoRegisterShutdownNotification, IoReleaseCancelSpinLock, IoReleaseRemoveLockAndWaitEx, IoReleaseRemoveLockEx, IoReleaseVpbSpinLock, IoRemoveShareAccess, IoReportDetectedDevice, IoReportHalResourceUsage, IoReportResourceForDetection, IoReportResourceUsage, IoReportTargetDeviceChange, IoReportTargetDeviceChangeAsynchronous, IoRequestDeviceEject, IoReuseIrp, IoSetCompletionRoutineEx, IoSetDeviceInterfaceState, IoSetDeviceToVerify, IoSetFileOrigin, IoSetHardErrorOrVerifyDevice, IoSetInformation, IoSetIoCompletion, IoSetPartitionInformation, IoSetPartitionInformationEx, IoSetShareAccess, IoSetStartIoAttributes, IoSetSystemPartition, IoSetThreadHardErrorMode, IoSetTopLevelIrp, IoStartNextPacket, IoStartNextPacketByKey, IoStartPacket, IoStartTimer, IoStatisticsLock, IoStopTimer, IoSynchronousInvalidateDeviceRelations, IoSynchronousPageWrite, IoThreadToProcess, IoUnregisterFileSystem, IoUnregisterFsRegistrationChange, IoUnregisterPlugPlayNotification, IoUnregisterShutdownNotification, IoUpdateShareAccess, IoVerifyPartitionTable, IoVerifyVolume, IoVolumeDeviceToDosName, IoWMIAllocateInstanceIds, IoWMIDeviceObjectToInstanceName, IoWMIExecuteMethod, IoWMIHandleToInstanceName, IoWMIOpenBlock, IoWMIQueryAllData, IoWMIQueryAllDataMultiple, IoWMIQuerySingleInstance, IoWMIQuerySingleInstanceMultiple, IoWMIRegistrationControl, IoWMISetNotificationCallback, IoWMISetSingleInstance, IoWMISetSingleItem, IoWMISuggestInstanceName, IoWMIWriteEvent, IoWriteErrorLogEntry, IoWriteOperationCount, IoWritePartitionTable, IoWritePartitionTableEx, IoWriteTransferCount, IofCallDriver, IofCompleteRequest, KdDebuggerEnabled, KdDebuggerNotPresent, KdDisableDebugger, KdEnableDebugger, KdEnteredDebugger, KdPollBreakIn, KdPowerTransition, Ke386CallBios, Ke386IoSetAccessProcess, Ke386QueryIoAccessMap, Ke386SetIoAccessMap, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeAcquireInterruptSpinLock, KeAcquireSpinLockAtDpcLevel, KeAddSystemServiceTable, KeAreApcsDisabled, KeAttachProcess, KeBugCheck, KeBugCheckEx, KeCancelTimer, KeClearEvent, KeConnectInterrupt, KeDcacheFlushCount, KeDelayExecutionThread, KeDeregisterBugCheckCallback, KeDetachProcess, KeDisconnectInterrupt, KeEnterCriticalRegion, KeEnterKernelDebugger, KeFindConfigurationEntry, KeFindConfigurationNextEntry, KeFlushEntireTb, KeGetCurrentThread, KeGetPreviousMode, KeGetRecommendedSharedDataAlignment, KeI386AbiosCall, KeI386AllocateGdtSelectors, KeI386Call16BitCStyleFunction, KeI386Call16BitFunction, KeI386FlatToGdtSelector, KeI386GetLid, KeI386MachineType, KeI386ReleaseGdtSelectors, KeI386ReleaseLid, KeI386SetGdtSelector, KeIcacheFlushCount, KeInitializeApc, KeInitializeDeviceQueue, KeInitializeDpc, KeInitializeEvent, KeInitializeInterrupt, KeInitializeMutant, KeInitializeMutex, KeInitializeQueue, KeInitializeSemaphore, KeInitializeSpinLock, KeInitializeTimer, KeInitializeTimerEx, KeInsertByKeyDeviceQueue, KeInsertDeviceQueue, KeInsertHeadQueue, KeInsertQueue, KeInsertQueueApc, KeInsertQueueDpc, KeIsAttachedProcess, KeIsExecutingDpc, KeLeaveCriticalRegion, KeLoaderBlock, KeNumberProcessors, KeProfileInterrupt, KeProfileInterruptWithSource, KePulseEvent, KeQueryActiveProcessors, KeQueryInterruptTime, KeQueryPriorityThread, KeQueryRuntimeThread, KeQuerySystemTime, KeQueryTickCount, KeQueryTimeIncrement, KeRaiseUserException, KeReadStateEvent, KeReadStateMutant, KeReadStateMutex, KeReadStateQueue, KeReadStateSemaphore, KeReadStateTimer, KeRegisterBugCheckCallback, KeReleaseInStackQueuedSpinLockFromDpcLevel, KeReleaseInterruptSpinLock, KeReleaseMutant, KeReleaseMutex, KeReleaseSemaphore, KeReleaseSpinLockFromDpcLevel, KeRemoveByKeyDeviceQueue, KeRemoveByKeyDeviceQueueIfBusy, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, KeRemoveQueue, KeRemoveQueueDpc, KeRemoveSystemServiceTable, KeResetEvent, KeRestoreFloatingPointState, KeRevertToUserAffinityThread, KeRundownQueue, KeSaveFloatingPointState, KeSaveStateForHibernate, KeServiceDescriptorTable, KeSetAffinityThread, KeSetBasePriorityThread, KeSetDmaIoCoherency, KeSetEvent, KeSetEventBoostPriority, KeSetIdealProcessorThread, KeSetImportanceDpc, KeSetKernelStackSwapEnable, KeSetPriorityThread, KeSetProfileIrql, KeSetSystemAffinityThread, KeSetTargetProcessorDpc, KeSetTimeIncrement, KeSetTimeUpdateNotifyRoutine, KeSetTimer, KeSetTimerEx, KeStackAttachProcess, KeSynchronizeExecution, KeTerminateThread, KeTickCount, KeUnstackDetachProcess, KeUpdateRunTime, KeUpdateSystemTime, KeUserModeCallback, KeWaitForMultipleObjects, KeWaitForMutexObject, KeWaitForSingleObject, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, Kei386EoiHelper, KiAcquireSpinLock, KiBugCheckData, KiCoprocessorError, KiDeliverApc, KiDispatchInterrupt, KiEnableTimerWatchdog, KiIpiServiceRoutine, KiReleaseSpinLock, KiUnexpectedInterrupt, Kii386SpinOnSpinLock, LdrAccessResource, LdrEnumResources, LdrFindResourceDirectory_U, LdrFindResource_U, LpcPortObjectType, LpcRequestPort, LpcRequestWaitReplyPort, LsaCallAuthenticationPackage, LsaDeregisterLogonProcess, LsaFreeReturnBuffer, LsaLogonUser, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, Mm64BitPhysicalAddress, MmAddPhysicalMemory, MmAddVerifierThunks, MmAdjustWorkingSetSize, MmAdvanceMdl, MmAllocateContiguousMemory, MmAllocateContiguousMemorySpecifyCache, MmAllocateMappingAddress, MmAllocateNonCachedMemory, MmAllocatePagesForMdl, MmBuildMdlForNonPagedPool, MmCanFileBeTruncated, MmCreateMdl, MmCreateSection, MmDisableModifiedWriteOfSection, MmFlushImageSection, MmForceSectionClosed, MmFreeContiguousMemory, MmFreeContiguousMemorySpecifyCache, MmFreeMappingAddress, MmFreeNonCachedMemory, MmFreePagesFromMdl, MmGetPhysicalAddress, MmGetPhysicalMemoryRanges, MmGetSystemRoutineAddress, MmGetVirtualForPhysical, MmGrowKernelStack, MmHighestUserAddress, MmIsAddressValid, MmIsDriverVerifying, MmIsNonPagedSystemAddressValid, MmIsRecursiveIoFault, MmIsThisAnNtAsSystem, MmIsVerifierEnabled, MmLockPagableDataSection, MmLockPagableImageSection, MmLockPagableSectionByHandle, MmMapIoSpace, MmMapLockedPages, MmMapLockedPagesSpecifyCache, MmMapLockedPagesWithReservedMapping, MmMapMemoryDumpMdl, MmMapUserAddressesToPage, MmMapVideoDisplay, MmMapViewInSessionSpace, MmMapViewInSystemSpace, MmMapViewOfSection, MmMarkPhysicalMemoryAsBad, MmMarkPhysicalMemoryAsGood, MmPageEntireDriver, MmPrefetchPages, MmProbeAndLockPages, MmProbeAndLockProcessPages, MmProbeAndLockSelectedPages, MmProtectMdlSystemAddress, MmQuerySystemSize, MmRemovePhysicalMemory, MmResetDriverPaging, MmSectionObjectType, MmSecureVirtualMemory, MmSetAddressRangeModified, MmSetBankedSection, MmSizeOfMdl, MmSystemRangeStart, MmTrimAllSystemPagableMemory, MmUnlockPagableImageSection, MmUnlockPages, MmUnmapIoSpace, MmUnmapLockedPages, MmUnmapReservedMapping, MmUnmapVideoDisplay, MmUnmapViewInSessionSpace, MmUnmapViewInSystemSpace, MmUnmapViewOfSection, MmUnsecureVirtualMemory, MmUserProbeAddress, NlsAnsiCodePage, NlsLeadByteInfo, NlsMbCodePageTag, NlsMbOemCodePageTag, NlsOemCodePage, NlsOemLeadByteInfo, NtAddAtom, NtAdjustPrivilegesToken, NtAllocateLocallyUniqueId, NtAllocateUuids, NtAllocateVirtualMemory, NtBuildNumber, NtClose, NtConnectPort, NtCreateEvent, NtCreateFile, NtCreateSection, NtDeleteAtom, NtDeleteFile, NtDeviceIoControlFile, NtDuplicateObject, NtDuplicateToken, NtFindAtom, NtFreeVirtualMemory, NtFsControlFile, NtGlobalFlag, NtLockFile, NtMakePermanentObject, NtMapViewOfSection, NtNotifyChangeDirectoryFile, NtOpenFile, NtOpenProcess, NtOpenProcessToken, NtOpenProcessTokenEx, NtOpenThread, NtOpenThreadToken, NtOpenThreadTokenEx, NtQueryDirectoryFile, NtQueryEaFile, NtQueryInformationAtom, NtQueryInformationFile, NtQueryInformationProcess, NtQueryInformationThread, NtQueryInformationToken, NtQueryQuotaInformationFile, NtQuerySecurityObject, NtQuerySystemInformation, NtQueryVolumeInformationFile, NtReadFile, NtRequestPort, NtRequestWaitReplyPort, NtSetEaFile, NtSetEvent, NtSetInformationFile, NtSetInformationProcess, NtSetInformationThread, NtSetQuotaInformationFile, NtSetSecurityObject, NtSetVolumeInformationFile, NtShutdownSystem, NtTraceEvent, NtUnlockFile, NtVdmControl, NtWaitForSingleObject, NtWriteFile, ObAssignSecurity, ObCheckCreateObjectAccess, ObCheckObjectAccess, ObCloseHandle, ObCreateObject, ObCreateObjectType, ObDereferenceObject, ObDereferenceSecurityDescriptor, ObFindHandleForObject, ObGetObjectSecurity, ObInsertObject, ObLogSecurityDescriptor, ObMakeTemporaryObject, ObOpenObjectByName, ObOpenObjectByPointer, ObQueryNameString, ObQueryObjectAuditingByHandle, ObReferenceObjectByHandle, ObReferenceObjectByName, ObReferenceObjectByPointer, ObReferenceSecurityDescriptor, ObReleaseObjectSecurity, ObSetHandleAttributes, ObSetSecurityDescriptorInfo, ObSetSecurityObjectByPointer, ObfDereferenceObject, ObfReferenceObject, PfxFindPrefix, PfxInitialize, PfxInsertPrefix, PfxRemovePrefix, PoCallDriver, PoCancelDeviceNotify, PoQueueShutdownWorkItem, PoRegisterDeviceForIdleDetection, PoRegisterDeviceNotify, PoRegisterSystemState, PoRequestPowerIrp, PoRequestShutdownEvent, PoSetHiberRange, PoSetPowerState, PoSetSystemState, PoShutdownBugCheck, PoStartNextPowerIrp, PoUnregisterSystemState, ProbeForRead, ProbeForWrite, PsAssignImpersonationToken, PsChargePoolQuota, PsChargeProcessNonPagedPoolQuota, PsChargeProcessPagedPoolQuota, PsChargeProcessPoolQuota, PsCreateSystemProcess, PsCreateSystemThread, PsDereferenceImpersonationToken, PsDereferencePrimaryToken, PsDisableImpersonation, PsEstablishWin32Callouts, PsGetCurrentProcess, PsGetCurrentProcessId, PsGetCurrentProcessSessionId, PsGetCurrentThread, PsGetCurrentThreadId, PsGetCurrentThreadPreviousMode, PsGetCurrentThreadStackBase, PsGetCurrentThreadStackLimit, PsGetJobLock, PsGetJobSessionId, PsGetJobUIRestrictionsClass, PsGetProcessCreateTimeQuadPart, PsGetProcessDebugPort, PsGetProcessExitProcessCalled, PsGetProcessExitStatus, PsGetProcessExitTime, PsGetProcessId, PsGetProcessImageFileName, PsGetProcessInheritedFromUniqueProcessId, PsGetProcessJob, PsGetProcessPeb, PsGetProcessPriorityClass, PsGetProcessSectionBaseAddress, PsGetProcessSecurityPort, PsGetProcessSessionId, PsGetProcessWin32Process, PsGetProcessWin32WindowStation, PsGetThreadFreezeCount, PsGetThreadHardErrorsAreDisabled, PsGetThreadId, PsGetThreadProcess, PsGetThreadProcessId, PsGetThreadSessionId, PsGetThreadTeb, PsGetThreadWin32Thread, PsGetVersion, PsImpersonateClient, PsInitialSystemProcess, PsIsProcessBeingDebugged, PsIsSystemThread, PsIsThreadImpersonating, PsIsThreadTerminating, PsJobType, PsLookupProcessByProcessId, PsLookupProcessThreadByCid, PsLookupThreadByThreadId, PsProcessType, PsReferenceImpersonationToken, PsReferencePrimaryToken, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, PsRestoreImpersonation, PsReturnPoolQuota, PsReturnProcessNonPagedPoolQuota, PsReturnProcessPagedPoolQuota, PsRevertThreadToSelf, PsRevertToSelf, PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetJobUIRestrictionsClass, PsSetLegoNotifyRoutine, PsSetLoadImageNotifyRoutine, PsSetProcessPriorityByClass, PsSetProcessPriorityClass, PsSetProcessSecurityPort, PsSetProcessWin32Process, PsSetProcessWindowStation, PsSetThreadHardErrorsAreDisabled, PsSetThreadWin32Thread, PsTerminateSystemThread, PsThreadType, READ_REGISTER_BUFFER_UCHAR, READ_REGISTER_BUFFER_ULONG, READ_REGISTER_BUFFER_USHORT, READ_REGISTER_UCHAR, READ_REGISTER_ULONG, READ_REGISTER_USHORT, RtlAbsoluteToSelfRelativeSD, RtlAddAccessAllowedAce, RtlAddAce, RtlAddAtomToAtomTable, RtlAddRange, RtlAllocateHeap, RtlAnsiCharToUnicodeChar, RtlAnsiStringToUnicodeSize, RtlAnsiStringToUnicodeString, RtlAppendAsciizToString, RtlAppendStringToString, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlAreAllAccessesGranted, RtlAreAnyAccessesGranted, RtlAreBitsClear, RtlAreBitsSet, RtlAssert, RtlCaptureContext, RtlCaptureStackBackTrace, RtlCharToInteger, RtlCheckRegistryKey, RtlClearAllBits, RtlClearBit, RtlClearBits, RtlCompareMemory, RtlCompareMemoryUlong, RtlCompareString, RtlCompareUnicodeString, RtlCompressBuffer, RtlCompressChunks, RtlConvertLongToLargeInteger, RtlConvertSidToUnicodeString, RtlConvertUlongToLargeInteger, RtlCopyLuid, RtlCopyRangeList, RtlCopySid, RtlCopyString, RtlCopyUnicodeString, RtlCreateAcl, RtlCreateAtomTable, RtlCreateHeap, RtlCreateRegistryKey, RtlCreateSecurityDescriptor, RtlCreateSystemVolumeInformationFolder, RtlCreateUnicodeString, RtlCustomCPToUnicodeN, RtlDecompressBuffer, RtlDecompressChunks, RtlDecompressFragment, RtlDelete, RtlDeleteAce, RtlDeleteAtomFromAtomTable, RtlDeleteElementGenericTable, RtlDeleteElementGenericTableAvl, RtlDeleteNoSplay, RtlDeleteOwnersRanges, RtlDeleteRange, RtlDeleteRegistryValue, RtlDescribeChunk, RtlDestroyAtomTable, RtlDestroyHeap, RtlDowncaseUnicodeString, RtlEmptyAtomTable, RtlEnlargedIntegerMultiply, RtlEnlargedUnsignedDivide, RtlEnlargedUnsignedMultiply, RtlEnumerateGenericTable, RtlEnumerateGenericTableAvl, RtlEnumerateGenericTableLikeADirectory, RtlEnumerateGenericTableWithoutSplaying, RtlEnumerateGenericTableWithoutSplayingAvl, RtlEqualLuid, RtlEqualSid, RtlEqualString, RtlEqualUnicodeString, RtlExtendedIntegerMultiply, RtlExtendedLargeIntegerDivide, RtlExtendedMagicDivide, RtlFillMemory, RtlFillMemoryUlong, RtlFindClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, RtlFindFirstRunClear, RtlFindLastBackwardRunClear, RtlFindLeastSignificantBit, RtlFindLongestRunClear, RtlFindMessage, RtlFindMostSignificantBit, RtlFindNextForwardRunClear, RtlFindRange, RtlFindSetBits, RtlFindSetBitsAndClear, RtlFindUnicodePrefix, RtlFormatCurrentUserKeyPath, RtlFreeAnsiString, RtlFreeHeap, RtlFreeOemString, RtlFreeRangeList, RtlFreeUnicodeString, RtlGUIDFromString, RtlGenerate8dot3Name, RtlGetAce, RtlGetCallersAddress, RtlGetCompressionWorkSpaceSize, RtlGetDaclSecurityDescriptor, RtlGetDefaultCodePage, RtlGetElementGenericTable, RtlGetElementGenericTableAvl, RtlGetFirstRange, RtlGetGroupSecurityDescriptor, RtlGetNextRange, RtlGetNtGlobalFlags, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetSetBootStatusData, RtlGetVersion, RtlHashUnicodeString, RtlImageDirectoryEntryToData, RtlImageNtHeader, RtlInitAnsiString, RtlInitCodePageTable, RtlInitString, RtlInitUnicodeString, RtlInitializeBitMap, RtlInitializeGenericTable, RtlInitializeGenericTableAvl, RtlInitializeRangeList, RtlInitializeSid, RtlInitializeUnicodePrefix, RtlInsertElementGenericTable, RtlInsertElementGenericTableAvl, RtlInsertElementGenericTableFull, RtlInsertElementGenericTableFullAvl, RtlInsertUnicodePrefix, RtlInt64ToUnicodeString, RtlIntegerToChar, RtlIntegerToUnicode, RtlIntegerToUnicodeString, RtlInvertRangeList, RtlIpv4AddressToStringA, RtlIpv4AddressToStringW, RtlIpv4StringToAddressA, RtlIpv4StringToAddressW, RtlIpv6AddressToStringA, RtlIpv6AddressToStringW, RtlIpv6StringToAddressA, RtlIpv6StringToAddressW, RtlIsGenericTableEmpty, RtlIsGenericTableEmptyAvl, RtlIsNameLegalDOS8Dot3, RtlIsRangeAvailable, RtlIsValidOemCharacter, RtlLargeIntegerAdd, RtlLargeIntegerArithmeticShift, RtlLargeIntegerDivide, RtlLargeIntegerNegate, RtlLargeIntegerShiftLeft, RtlLargeIntegerShiftRight, RtlLargeIntegerSubtract, RtlLengthRequiredSid, RtlLengthSecurityDescriptor, RtlLengthSid, RtlLockBootStatusData, RtlLookupAtomInAtomTable, RtlLookupElementGenericTable, RtlLookupElementGenericTableAvl, RtlLookupElementGenericTableFull, RtlLookupElementGenericTableFullAvl, RtlMapGenericMask, RtlMapSecurityErrorToNtStatus, RtlMergeRangeLists, RtlMoveMemory, RtlMultiByteToUnicodeN, RtlMultiByteToUnicodeSize, RtlNextUnicodePrefix, RtlNtStatusToDosError, RtlNtStatusToDosErrorNoTeb, RtlNumberGenericTableElements, RtlNumberGenericTableElementsAvl, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlOemStringToCountedUnicodeString, RtlOemStringToUnicodeSize, RtlOemStringToUnicodeString, RtlOemToUnicodeN, RtlPinAtomInAtomTable, RtlPrefetchMemoryNonTemporal, RtlPrefixString, RtlPrefixUnicodeString, RtlQueryAtomInAtomTable, RtlQueryRegistryValues, RtlQueryTimeZoneInformation, RtlRaiseException, RtlRandom, RtlRandomEx, RtlRealPredecessor, RtlRealSuccessor, RtlRemoveUnicodePrefix, RtlReserveChunk, RtlSecondsSince1970ToTime, RtlSecondsSince1980ToTime, RtlSelfRelativeToAbsoluteSD, RtlSelfRelativeToAbsoluteSD2, RtlSetAllBits, RtlSetBit, RtlSetBits, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSetTimeZoneInformation, RtlSizeHeap, RtlSplay, RtlStringFromGUID, RtlSubAuthorityCountSid, RtlSubAuthoritySid, RtlSubtreePredecessor, RtlSubtreeSuccessor, RtlTestBit, RtlTimeFieldsToTime, RtlTimeToElapsedTimeFields, RtlTimeToSecondsSince1970, RtlTimeToSecondsSince1980, RtlTimeToTimeFields, RtlTraceDatabaseAdd, RtlTraceDatabaseCreate, RtlTraceDatabaseDestroy, RtlTraceDatabaseEnumerate, RtlTraceDatabaseFind, RtlTraceDatabaseLock, RtlTraceDatabaseUnlock, RtlTraceDatabaseValidate, RtlUlongByteSwap, RtlUlonglongByteSwap, RtlUnicodeStringToAnsiSize, RtlUnicodeStringToAnsiString, RtlUnicodeStringToCountedOemString, RtlUnicodeStringToInteger, RtlUnicodeStringToOemSize, RtlUnicodeStringToOemString, RtlUnicodeToCustomCPN, RtlUnicodeToMultiByteN, RtlUnicodeToMultiByteSize, RtlUnicodeToOemN, RtlUnlockBootStatusData, RtlUnwind, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, RtlUpcaseUnicodeStringToAnsiString, RtlUpcaseUnicodeStringToCountedOemString, RtlUpcaseUnicodeStringToOemString, RtlUpcaseUnicodeToCustomCPN, RtlUpcaseUnicodeToMultiByteN, RtlUpcaseUnicodeToOemN, RtlUpperChar, RtlUpperString, RtlUshortByteSwap, RtlValidRelativeSecurityDescriptor, RtlValidSecurityDescriptor, RtlValidSid, RtlVerifyVersionInfo, RtlVolumeDeviceToDosName, RtlWalkFrameChain, RtlWriteRegistryValue, RtlZeroHeap, RtlZeroMemory, RtlxAnsiStringToUnicodeSize, RtlxOemStringToUnicodeSize, RtlxUnicodeStringToAnsiSize, RtlxUnicodeStringToOemSize, SeAccessCheck, SeAppendPrivileges, SeAssignSecurity, SeAssignSecurityEx, SeAuditHardLinkCreation, SeAuditingFileEvents, SeAuditingFileOrGlobalEvents, SeAuditingHardLinkEvents, SeCaptureSecurityDescriptor, SeCaptureSubjectContext, SeCloseObjectAuditAlarm, SeCreateAccessState, SeCreateClientSecurity, SeCreateClientSecurityFromSubjectContext, SeDeassignSecurity, SeDeleteAccessState, SeDeleteObjectAuditAlarm, SeExports, SeFilterToken, SeFreePrivileges, SeImpersonateClient, SeImpersonateClientEx, SeLockSubjectContext, SeMarkLogonSessionForTerminationNotification, SeOpenObjectAuditAlarm, SeOpenObjectForDeleteAuditAlarm, SePrivilegeCheck, SePrivilegeObjectAuditAlarm, SePublicDefaultDacl, SeQueryAuthenticationIdToken, SeQueryInformationToken, SeQuerySecurityDescriptorInfo, SeQuerySessionIdToken, SeRegisterLogonSessionTerminatedRoutine, SeReleaseSecurityDescriptor, SeReleaseSubjectContext, SeSetAccessStateGenericMapping, SeSetSecurityDescriptorInfo, SeSetSecurityDescriptorInfoEx, SeSinglePrivilegeCheck, SeSystemDefaultDacl, SeTokenImpersonationLevel, SeTokenIsAdmin, SeTokenIsRestricted, SeTokenObjectType, SeTokenType, SeUnlockSubjectContext, SeUnregisterLogonSessionTerminatedRoutine, SeValidSecurityDescriptor, VerSetConditionMask, VfFailDeviceNode, VfFailDriver, VfFailSystemBIOS, VfIsVerificationEnabled, WRITE_REGISTER_BUFFER_UCHAR, WRITE_REGISTER_BUFFER_ULONG, WRITE_REGISTER_BUFFER_USHORT, WRITE_REGISTER_UCHAR, WRITE_REGISTER_ULONG, WRITE_REGISTER_USHORT, WmiFlushTrace, WmiGetClock, WmiQueryTrace, WmiQueryTraceInformation, WmiStartTrace, WmiStopTrace, WmiTraceMessage, WmiTraceMessageVa, WmiUpdateTrace, XIPDispatch, ZwAccessCheckAndAuditAlarm, ZwAddBootEntry, ZwAdjustPrivilegesToken, ZwAlertThread, ZwAllocateVirtualMemory, ZwAssignProcessToJobObject, ZwCancelIoFile, ZwCancelTimer, ZwClearEvent, ZwClose, ZwCloseObjectAuditAlarm, ZwConnectPort, ZwCreateDirectoryObject, ZwCreateEvent, ZwCreateFile, ZwCreateJobObject, ZwCreateKey, ZwCreateSection, ZwCreateSymbolicLinkObject, ZwCreateTimer, ZwDeleteBootEntry, ZwDeleteFile, ZwDeleteKey, ZwDeleteValueKey, ZwDeviceIoControlFile, ZwDisplayString, ZwDuplicateObject, ZwDuplicateToken, ZwEnumerateBootEntries, ZwEnumerateKey, ZwEnumerateValueKey, ZwFlushInstructionCache, ZwFlushKey, ZwFlushVirtualMemory, ZwFreeVirtualMemory, ZwFsControlFile, ZwInitiatePowerAction, ZwIsProcessInJob, ZwLoadDriver, ZwLoadKey, ZwMakeTemporaryObject, ZwMapViewOfSection, ZwNotifyChangeKey, ZwOpenDirectoryObject, ZwOpenEvent, ZwOpenFile, ZwOpenJobObject, ZwOpenKey, ZwOpenProcess, ZwOpenProcessToken, ZwOpenProcessTokenEx, ZwOpenSection, ZwOpenSymbolicLinkObject, ZwOpenThread, ZwOpenThreadToken, ZwOpenThreadTokenEx, ZwOpenTimer, ZwPowerInformation, ZwPulseEvent, ZwQueryBootEntryOrder, ZwQueryBootOptions, ZwQueryDefaultLocale, ZwQueryDefaultUILanguage, ZwQueryDirectoryFile, ZwQueryDirectoryObject, ZwQueryEaFile, ZwQueryFullAttributesFile, ZwQueryInformationFile, ZwQueryInformationJobObject, ZwQueryInformationProcess, ZwQueryInformationThread, ZwQueryInformationToken, ZwQueryInstallUILanguage, ZwQueryKey, ZwQueryObject, ZwQuerySection, ZwQuerySecurityObject, ZwQuerySymbolicLinkObject, ZwQuerySystemInformation, ZwQueryValueKey, ZwQueryVolumeInformationFile, ZwReadFile, ZwReplaceKey, ZwRequestWaitReplyPort, ZwResetEvent, ZwRestoreKey, ZwSaveKey, ZwSaveKeyEx, ZwSetBootEntryOrder, ZwSetBootOptions, ZwSetDefaultLocale, ZwSetDefaultUILanguage, ZwSetEaFile, ZwSetEvent, ZwSetInformationFile, ZwSetInformationJobObject, ZwSetInformationObject, ZwSetInformationProcess, ZwSetInformationThread, ZwSetSecurityObject, ZwSetSystemInformation, ZwSetSystemTime, ZwSetTimer, ZwSetValueKey, ZwSetVolumeInformationFile, ZwTerminateJobObject, ZwTerminateProcess, ZwTranslateFilePath, ZwUnloadDriver, ZwUnloadKey, ZwUnmapViewOfSection, ZwWaitForMultipleObjects, ZwWaitForSingleObject, ZwWriteFile, ZwYieldExecution, _CIcos, _CIsin, _CIsqrt, _abnormal_termination, _alldiv, _alldvrm, _allmul, _alloca_probe, _allrem, _allshl, _allshr, _aulldiv, _aulldvrm, _aullrem, _aullshr, _except_handler2, _except_handler3, _global_unwind2, _itoa, _itow, _local_unwind2, _purecall, _snprintf, _snwprintf, _stricmp, _strlwr, _strnicmp, _strnset, _strrev, _strset, _strupr, _vsnprintf, _vsnwprintf, _wcsicmp, _wcslwr, _wcsnicmp, _wcsnset, _wcsrev, _wcsupr, atoi, atol, isdigit, islower, isprint, isspace, isupper, isxdigit, mbstowcs, mbtowc, memchr, memcpy, memmove, memset, qsort, rand, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strspn, strstr, swprintf, tolower, toupper, towlower, towupper, vDbgPrintEx, vDbgPrintExWithPrefix, vsprintf, wcscat, wcschr, wcscmp, wcscpy, wcscspn, wcslen, wcsncat, wcsncmp, wcsncpy, wcsrchr, wcsspn, wcsstr, wcstombs, wctomb
RDS...: NSRL Reference Data Set



Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600

2009-04-17 21:35:35
mbam-log-2009-04-17 (21-35-30).txt

Scan type: Quick Scan
Objects scanned: 81960
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Joshua\Desktop\Setup.exe (Adware.Zango) -> No action taken.


Thx for your help once again.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 18 April 2009 - 10:41 AM

Hello.

That's okay. Just post a New DDS log for me. Attach included as well.

How is your computer running?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 AM

Posted 18 April 2009 - 10:43 AM

Hello.

Just saw that MBAM scan was an "no-action taken" run..

PLease do the following and in addition to what I have said in my previous post.

Re-run scan with MalwareBytes Anti-Malware

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

With regards,
Extremeoby
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 warnog

warnog
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 19 April 2009 - 01:31 AM

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600

2009-04-18 22:58:21
mbam-log-2009-04-18 (22-58-21).txt

Scan type: Quick Scan
Objects scanned: 81847
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Joshua\Desktop\Setup.exe (Adware.Zango) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users