Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Restore infection originally, now Google redirection and strange popups


  • This topic is locked This topic is locked
18 replies to this topic

#1 BryanBlack

BryanBlack

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 12 April 2011 - 03:14 PM

Hello, how are you?

System is a Lenovo ThinkPad T60p-L34P86C, WinXPSP3.

I believe problem started on Thurs April7 , at least that is when i saw first evidence. I Had clicked on a program window that popped up instead of killing it in Task Manager and got infected by "Windows Restore".

Evidentally, this also opened the door for a bunch of other problem-ware.

I updated and ran Spybot, Malware Bytes and Avira Anti Virus; they all deleted some things

[attach logs if possible]

but evidentally not enough. (None of these deleted the 4 Windows Restore files in "~Application Data~" dir, had to delete manually, though the "Windows Restore" items have not shown up again. MB Did delete the Windows Restore Start Menu ShortCuts and Folder.)



Clicking on Goole search result links in IE now does not go to that site, goes to several other sites. also after a while started to get short bits of audio periodically, and other popups of IE Script errors, Internet Redirection warnings, even if no IE window open. [see screen prints] Started using the Lotus Symphony Web Browser (LS was already installed on system when recieved it, but have not used it much since first month Dec2009/Jan2010) as Google result links almost always worked through that.



When trying to follow the removal instructions at http://www.bleepingcomputer.com/virus-removal/remove-windows-restore

get below when running RKill , have tried most of the variant names with same result.



RKill Log File displays at last line in Cmd window:


FINDSTR: Search string too long.
[Log file available]



uninstalled Java, and Flash Player. on Monday started also getting prompts to install Flash player [see screen prints].







Have run Spybot, Malware Bytes and Avira Anti Virus again with seemingly no more than usual detections, will try to attach them too.



----



still getting these popups at intervals, wether IE is open or showing in running processes or not, sites vary, many different ones but sometimes ones that have shown up this way earlier

(i have gone to none of these sites intentionally before):


[can't seem to paste the images in, they are "Internet Explorer Script Error"s and "Internet Explorer cannot open the " , Internet Redirection warnings, Windows Explorer Security Warnings]

Thank You for your time and assistance,
Bryan Black
.-------------------------------------

DDS.txt:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Daimyo at 14:38:14.29 on Tue 04/12/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1143 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.0.20090505-1200\win32\x86\symphony.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.swt.browser.dom.ie_6.2.0.20090505-1200\os\win32\x86\IEOOP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\AV\BC-dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title =
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe c:\docume~1\admini~1\ibm\lotus\symphony\.sodc\
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director6/cabs/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {35ee9500-064d-4284-b8a6-c8edbc027deb} -
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-9 56816]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-2 53248]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-11-21 12560]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-2-18 105216]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-2-8 59264]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-3-6 106496]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2007-4-10 72576]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2007-1-12 102144]
.
=============== Created Last 30 ================
.
2011-04-11 19:40:02 -------- d-----w- c:\program files\Secunia
2011-04-11 18:45:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-11 18:45:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-11 18:17:54 -------- d-----w- C:\e57f0a2b9c60ca553166dda0cb91
2011-04-11 18:10:14 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
2011-04-11 18:10:14 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2011-04-10 20:24:19 966656 ----a-w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2011-04-10 20:24:19 86016 ----a-w- c:\program files\msn\msncorefiles\oobe\obepopc.dll
2011-04-10 20:24:19 77824 ----a-w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll
2011-04-10 20:24:19 229376 ----a-w- c:\program files\msn\msncorefiles\oobe\obelog.dll
2011-04-10 20:24:18 884712 ----a-w- c:\program files\msn\msncorefiles\install\msn9components\Digcore.exe
2011-04-10 20:24:18 1327320 ----a-w- c:\program files\msn\msncorefiles\install\msnsusii.exe
2011-04-10 20:24:18 11053008 ----a-w- c:\program files\msn\msncorefiles\install\msn9components\Msncli.exe
2011-04-09 19:07:49 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-04-09 19:07:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 19:07:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 19:07:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 17:17:12 -------- d-----w- C:\AV
2011-04-09 16:55:39 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-09 16:55:32 -------- d-----w- c:\program files\Avira
2011-04-09 16:55:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-08 17:01:12 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Help
.
==================== Find3M ====================
.
2011-04-11 19:03:17 672 ----a-w- C:\WU DetectNow.bat
2011-03-03 20:23:02 2855 ----a-w- c:\windows\system32\command.PIF
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 14:38:43.28 ===============




Sorry, forgot to put in original post:

I am considering going back to the Windows System Restore point from the day (or 2) before the first manifestation (prob should have done that before thrashing around the last 3 days...) if that is cleanest.
Does a Restore tend to be the best option in these (or this specific) case?

Thanks,
BB

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 12 April 2011 - 04:13 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 21 April 2011 - 02:59 PM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 26 April 2011 - 03:35 PM

Hello Elise,


Sorry for the delay in replying.

I have re-ran the DDS tool and attached the Attach~.txt file that was generated. Posted inline below is the contents of the DDS~.txt file that was generated.
get message when running RKill , have tried most of the variant names with same result:
RKill seems to start and run, then displays at last lines in Cmd window:

FINDSTR: Search string too long.
[Log file available]

rkill log attached.
there is another file that was modiled 1 minute later nomed Log.txt, also on the root of C: , also attached.
-

Still getting:
Clicking on Goole search result links in IE does not go to the target site, redirects to different search sites, sometimes several other sites.
(If the link that is listed at the bottom of a result is complete i can copy and paste it into the address bar and it will usually go there correctly, for ex:
www.homebrewtalk.com/wiki/index.php/Saison
belgianstyle.com/mmguide/style/saison.html
both work ok cutting + pasting , but
beeradvocate.com/forum/read/1441064
goes to
http://www.kuwaitcity.info/
then
http://newtopdomaintech.net/search
then
http://search.clicksare.com/results/?partnerid=113721&appid=52&vendorId=570385&type=2&code=45882246&rate=Y0ddQV5WGA==&cr=Y0ddQV1XFQ==&domain=http://www.blogtalkradio.com&query=1303849540%3a%3a67.79.142.186%3a%3aron&qt=1303849540&ip=67.79.142.186&kw=ron&ckw=&entry=consumer%20corporation%20research&rnk=1&tsstagid=25024869&geotagid=22586&lid=7798463&cid=254015&dr=Y0ddQV1XFXU=&url=.Ox0ZAFZKDzIZFFwbHBsOGw9NSlMyDQQfQgZPKEEOHQoEBgwMC09VDzsdABxTFB0mAQ0BDB0RG0pcEUJOIRkCAg0RSSoARkBJAhEaCg9TQkl1CAQUUSREKgBFBw0dKxoAG1NCRG4oCR8COhF0XVRASC9BWzBIVFVMDAQIFAUQTXgtMzFfBQAEMA1ATFEyAAoeUSREKgAxHRcjEQgdDUkHVCcEMgQJF014DQwcCgUZDB1LExFCPBsdHx4EVCwBDVdLQAYMHAtAU0I7
{then blocked by Spybot as known malicious url}

Clicking on a link in the History side bar also seems to work.



Also other popups of IE Script errors, Internet Redirection warnings, even if no IE window open.
More recently also have been getting a narrow popup that extends below the bottom of the screen . [Lost the Window title]. Text is something like "Are sure you want to redierct away from this site? Click on to close?Cancel?" {Sorry thought I had a screen print, will try to get again and update post.} Any buttons to click are not visible. I have been clicking on the "X" in the upper right corner of the popup to close it. Does not show in Task Manager. Does appear in popup of programs to choose between when hold down Alt key and hit Tab key.

since original post have rerun Spybot, Malware Bytes and Avira Anti Virus again with seemingly no more/ no different than usual detections by Spybot , nothing in MBytes and Avira.

Have reinstalled Java since original post (since nothing seemed to change after removed old version), but is now current version 1.6.0_24.
Have not reinstalled current Flash Player since original post, though frequently recieve prompts to do so.



Thank You for your help,
Bryan Black
.----.
DDS results from today:

DDS (Ver_11-03-05.01) - NTFSx86
Run by Daimyo at 15:47:38.51 on Tue 04/26/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\Access Connections.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\AV\BC-dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title =
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe c:\docume~1\admini~1\ibm\lotus\symphony\.sodc\
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director6/cabs/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {35ee9500-064d-4284-b8a6-c8edbc027deb} -
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-9 56816]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-2 53248]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-11-21 12560]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-2-18 105216]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-2-8 59264]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-3-6 106496]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2007-4-10 72576]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2007-1-12 102144]
.
=============== Created Last 30 ================
.
2011-04-11 19:40:02 -------- d-----w- c:\program files\Secunia
2011-04-11 18:45:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-11 18:45:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-11 18:17:54 -------- d-----w- C:\e57f0a2b9c60ca553166dda0cb91
2011-04-11 18:10:14 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
2011-04-11 18:10:14 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2011-04-10 20:24:19 966656 ----a-w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2011-04-10 20:24:19 86016 ----a-w- c:\program files\msn\msncorefiles\oobe\obepopc.dll
2011-04-10 20:24:19 77824 ----a-w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll
2011-04-10 20:24:19 229376 ----a-w- c:\program files\msn\msncorefiles\oobe\obelog.dll
2011-04-10 20:24:18 884712 ----a-w- c:\program files\msn\msncorefiles\install\msn9components\Digcore.exe
2011-04-10 20:24:18 1327320 ----a-w- c:\program files\msn\msncorefiles\install\msnsusii.exe
2011-04-10 20:24:18 11053008 ----a-w- c:\program files\msn\msncorefiles\install\msn9components\Msncli.exe
2011-04-09 19:07:49 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-04-09 19:07:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 19:07:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 19:07:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 17:17:12 -------- d-----w- C:\AV
2011-04-09 16:55:39 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-09 16:55:32 -------- d-----w- c:\program files\Avira
2011-04-09 16:55:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-08 17:01:12 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Help
.
==================== Find3M ====================
.
2011-04-11 19:03:17 672 ----a-w- C:\WU DetectNow.bat
2011-03-03 20:23:02 2855 ----a-w- c:\windows\system32\command.PIF
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 15:48:02.83 ===============


Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 26 April 2011 - 03:45 PM

Hi again, since that rogue often comes bundled with a rootkit, lets first check for that.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 26 April 2011 - 09:58 PM

Hi Elise,

OK, the ComboFix ran, took about 2.5 hours all told.

at around 20 minutes in it put up a message box titled:

"Patched Volsnap.sys !!"

Text was:

"The Driver Volsnap.sys is patched with a rootkit.

Attempting Disinfection.

Please be patient as this may take several minutes"



I didn't have a chance to compare with another computer but the C:Windows\System32\Drivers\Volsnap.sys was mod the same date and time as the unexpanded in the i386 dir so how ...?

A few minutes later one of the IE Script error windows popped up , but this time another smaller box also appeared titled
"Windows Internet Explorer", with a yellow exclamation sign and the text: "Stack Overflow at line: 0" and an "OK" button.

Had to click on that about eleventeen times and it finally went away, the IE Script error also went away after two "No" clicks to the "continue running scripts on this page?" as usual.

later Message box:

"Combofix has detected the presence of rootkit activity and needs to reboot the machine!"

after reboot Message box:

"ComboFix is attempting to create a new system restore point! "

Aviria popped up a detection of virus or unwanted program twice: command.pif and shimg.dll, I told it to ignore as the combofix was running..

and either before or afterComboFix downloaded and installed Microsoft Windows Recovery Console.

and later, i think after another restart:

"ComboFix - Find3M" command window was displaying the lines:

"Preparing log report."

"do not run any programs until Combo fix has finished"

Aviria popped up a detection of virus or unwanted program : C:\Qoobox\32788R22FWJFW\Volsnap.sys is the
TR/Patched.Gen Trojan .

I told it to ignore this also.

Secunia PSI (sorry I forgot i had installed this 2-3 days after the infection also) was putting up a message at the same time :

Program Changes Detected:
New Programs:

NirCmd 2.x (Patched)

Removed Programs:

NirCmd 2.x (Patched)

Eventually the "ComboFix - Find3M" Command window went away and it left a Log.txt file open C:\Log.txt 4/26 7:03PM.

also on C:\ was ComboFix.txt 4/26 7:04PM.





There was a directory left on the hard drive--- C:\Qoobox, structure and files below:

Volume in drive C has no label.

Volume Serial Number is 8866-7FC2

Directory of C:\Qoobox

04/26/2011 07:04 PM <DIR> .

04/26/2011 07:04 PM <DIR> ..

04/26/2011 07:03 PM 9,152 Add-Remove Programs.txt

04/26/2011 06:22 PM <DIR> BackEnv

04/26/2011 07:04 PM 603 ComboFix-quarantined-files.txt

04/26/2011 06:26 PM <DIR> Quarantine

04/26/2011 07:03 PM 0 SnapShot@2011-04-26_22.35.16.dat

3 File(s) 9,755 bytes

Directory of C:\Qoobox\Quarantine

04/26/2011 06:26 PM <DIR> .

04/26/2011 06:26 PM <DIR> ..

04/26/2011 06:30 PM <DIR> C

04/26/2011 06:20 PM 51 catchme.log

04/26/2011 07:03 PM <DIR> Registry_backups

1 File(s) 51 bytes

Directory of C:\Qoobox\Quarantine\C

04/26/2011 06:30 PM <DIR> .

04/26/2011 06:30 PM <DIR> ..

04/26/2011 06:30 PM <DIR> WINDOWS

0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS

04/26/2011 06:30 PM <DIR> .

04/26/2011 06:30 PM <DIR> ..

04/26/2011 06:30 PM <DIR> system32

0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32

04/26/2011 06:30 PM <DIR> .

04/26/2011 06:30 PM <DIR> ..

03/03/2011 04:23 PM 2,855 command.PIF.vir

11/23/2010 01:32 AM 295,554 shimg.dll.vir

2 File(s) 298,409 bytes

Directory of C:\Qoobox\Quarantine\Registry_backups

04/26/2011 07:03 PM <DIR> .

04/26/2011 07:03 PM <DIR> ..

04/26/2011 07:03 PM 852 Notify-ACNotify.reg.dat

04/26/2011 06:29 PM 11,797 tcpip.reg

2 File(s) 12,649 bytes

Total Files Listed:

8 File(s) 320,864 bytes

18 Dir(s) 76,137,242,624 bytes free

---

Let me know if i should send any of the these Qoobox files other than the 06:20 PM catchme.log (attached) from the Quarantine dir (and how to send).Notify-ACNotify.reg.dat
tcpip.reg
SnapShot@2011-04-26_22.35.16.dat
(~\BackEnv is not accessible.)

There was also a 5:22PM catchme.log in C:\Documents and Settings\Administrator\Desktop (also attached).




More questions please:

Why didn't Avira catch any of these before ? or Spybot for that matter?

Should i be using Microst Security Essentials rather than Avira? (or something else?)

What caused the RKill to fail in that fashion? was that a side effect of/something done to prevent it's removal by the trojan ?

(Though i will try to lookup details on to see what may have have transpired too}


---
Noticing some differences already, settings that had previously been supressed or gotten around:
Yahoo warning of being redirected to secure conn to login to mail.

warning/notification of website wanting to install Flash Player rather than haveing download/install confirmation just pop up

and haven't tried the same exact Google search result links yet but similar urls (including a Beeradvocate link not "covered" by .html at the end are working without redirection.

---------

I am in Clearwater, Florida (West Coast, between Tampa Bay and Gulf of Mexico), USA. Over the last week it has just been starting to turn from a nice {but too short!} Spring to the early beginning of what looks like it will be a hot (low - mod 90s F), humid, and stormy Summer... How is it where you are?


Thanks for your help,
Bryan Black



---- ---- ----

C:\Log.txt contents (said file was too big to attach, was second one tried, apologies):
[start]
---
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
SERVICE_CONTROL_DBC_SHUTDOWN_DISABLED
SERVICE_CONTROL_DBC_LOGOFF_DISABLED
SERVICE_CONTROL_DBC_SCREENLOCK_DISABLED
SERVICE_CONTROL_DBC_SCREENSAVER_DISABLED
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
SERVICE_CONTROL_INTERROGATE
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
WTS_SESSION_LOCK
WTS_SESSION_UNLOCK
SERVICE_CONTROL_INTERROGATE
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
SERVICE_CONTROL_INTERROGATE
WTS_SESSION_LOGOFF
SERVICE_CONTROL_SHUTDOWN
WTS_CONSOLE_CONNECT
WTS_SESSION_LOGON
SERVICE_CONTROL_INTERROGATE
======
[End]

Attached Files



#6 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 26 April 2011 - 10:02 PM

Oops, actually you said include the C:\Combofix.txt in next reply, sorry...


here below:

---

ComboFix 11-04-26.01 - Daimyo 04/26/2011 18:26:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1542 [GMT -4:00]
Running from: c:\av\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\command.pif
c:\windows\system32\shimg.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-11 19:40 . 2011-04-11 19:40 -------- d-----w- c:\program files\Secunia
2011-04-11 18:45 . 2011-04-11 18:45 -------- d-----w- c:\program files\Common Files\Java
2011-04-11 18:45 . 2011-04-11 18:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-11 18:45 . 2011-04-11 18:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-11 18:45 . 2011-04-11 18:45 -------- d-----w- c:\program files\Java
2011-04-11 18:17 . 2011-04-11 18:22 -------- d-----w- C:\e57f0a2b9c60ca553166dda0cb91
2011-04-11 18:10 . 2008-05-13 00:22 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
2011-04-11 18:10 . 2005-09-28 21:07 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2011-04-10 20:24 . 2008-08-21 12:00 966656 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obemetal.dll
2011-04-10 20:24 . 2008-08-21 12:00 86016 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obepopc.dll
2011-04-10 20:24 . 2008-08-21 12:00 77824 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obemtllc.dll
2011-04-10 20:24 . 2008-08-21 12:00 229376 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obelog.dll
2011-04-10 20:24 . 2008-08-21 12:00 884712 ----a-w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
2011-04-10 20:24 . 2008-08-21 12:00 1327320 ----a-w- c:\program files\MSN\MSNCoreFiles\Install\msnsusii.exe
2011-04-10 20:24 . 2008-08-21 12:00 11053008 ----a-w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-09 19:07 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 17:17 . 2011-04-26 20:59 -------- d-----w- C:\AV
2011-04-09 16:55 . 2011-04-09 21:28 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-09 16:55 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-09 16:55 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-09 16:55 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-09 16:55 . 2011-04-09 16:55 -------- d-----w- c:\program files\Avira
2011-04-09 16:55 . 2011-04-09 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-08 17:01 . 2011-04-08 17:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 19:03 . 2009-12-15 17:50 672 ----a-w- C:\WU DetectNow.bat
2011-02-09 13:53 . 2009-06-01 23:21 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-06-01 23:20 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-06-01 23:29 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-06-01 23:29 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2009-12-15 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-09-30 68976]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2008-11-21 49928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-11-21 385024]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-18 208896]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-08-21 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-08-21 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-08-21 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-08-21 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-08-21 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-09-17 176128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-2-10 604776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-11-21 07:35 95496 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 23:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IBM\\Lotus\\Symphony\\symphony.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkPad\\ConnectUtilities\\Access Connections.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/9/2011 12:55 PM 108289]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [6/2/2009 1:05 PM 53248]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [11/21/2008 3:11 AM 12560]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 5:14 PM 105216]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 1:00 PM 59264]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 10:05 AM 14904]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [3/6/2008 5:10 PM 106496]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [4/10/2007 2:03 PM 72576]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [1/12/2007 5:26 PM 102144]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-26 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-06-02 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: bmnet.dll
.
- - - - ORPHANS REMOVED - - - -
.
Notify-ACNotify - ACNotify.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-26 18:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2371505810-386603452-1313754912-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\tvt_gina.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\ACNewBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
- - - - - - - > 'lsass.exe'(1196)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\windows\system32\bmnet.dll
.
- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\bmwebcfg.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2011-04-26 19:04:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-26 23:04
.
Pre-Run: 75,511,488,512 bytes free
Post-Run: 75,900,772,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9866CCF57FEF9428009DAAD62D4C0F58

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 27 April 2011 - 01:32 AM

Please right-click on the Combofix-icon and select Rename. Rename the file to Random.

Then run it like this.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
TDL::
c:\windows\system32\drivers\volsnap.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 27 April 2011 - 11:34 AM

Good Day Elise,

When first tried to run by draging CFScript into ComboFix renamed Random.exe, box came up suggesting i get a fresh copy of COmbofix from
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
so i did, re-disabled Avira, renamed new file Random, dragged CFScript into it.
Appeared to process with no unusual incidents.
Contents of C:\ComboFix.txt poosted below.

Thank you,
Bryan


---------

ComboFix 11-04-26.05 - Daimyo 04/27/2011 12:12:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1383 [GMT -4:00]
Running from: c:\av\Random.exe
Command switches used :: c:\av\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-27 16:03 . 2011-04-27 16:09 -------- d-----w- C:\Random
2011-04-11 19:40 . 2011-04-11 19:40 -------- d-----w- c:\program files\Secunia
2011-04-11 18:45 . 2011-04-11 18:45 -------- d-----w- c:\program files\Common Files\Java
2011-04-11 18:45 . 2011-04-11 18:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-11 18:45 . 2011-04-11 18:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-11 18:45 . 2011-04-11 18:45 -------- d-----w- c:\program files\Java
2011-04-11 18:17 . 2011-04-11 18:22 -------- d-----w- C:\e57f0a2b9c60ca553166dda0cb91
2011-04-11 18:10 . 2008-05-13 00:22 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
2011-04-11 18:10 . 2005-09-28 21:07 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2011-04-10 20:24 . 2008-08-21 12:00 966656 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obemetal.dll
2011-04-10 20:24 . 2008-08-21 12:00 86016 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obepopc.dll
2011-04-10 20:24 . 2008-08-21 12:00 77824 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obemtllc.dll
2011-04-10 20:24 . 2008-08-21 12:00 229376 ----a-w- c:\program files\MSN\MSNCoreFiles\OOBE\obelog.dll
2011-04-10 20:24 . 2008-08-21 12:00 884712 ----a-w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
2011-04-10 20:24 . 2008-08-21 12:00 1327320 ----a-w- c:\program files\MSN\MSNCoreFiles\Install\msnsusii.exe
2011-04-10 20:24 . 2008-08-21 12:00 11053008 ----a-w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-09 19:07 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 19:07 . 2011-04-09 19:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 17:17 . 2011-04-27 16:12 -------- d-----w- C:\AV
2011-04-09 16:55 . 2011-04-09 21:28 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-09 16:55 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-09 16:55 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-04-09 16:55 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-04-09 16:55 . 2011-04-09 16:55 -------- d-----w- c:\program files\Avira
2011-04-09 16:55 . 2011-04-09 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-04-08 17:01 . 2011-04-08 17:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 19:03 . 2009-12-15 17:50 672 ----a-w- C:\WU DetectNow.bat
2011-02-09 13:53 . 2009-06-01 23:21 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-06-01 23:20 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-06-01 23:29 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2009-12-15 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-09-30 68976]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2008-11-21 49928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-11-21 385024]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-18 208896]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-08-21 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-08-21 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-08-21 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-08-21 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-08-21 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-09-17 176128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-2-10 604776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-11-21 07:35 95496 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 23:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IBM\\Lotus\\Symphony\\symphony.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkPad\\ConnectUtilities\\Access Connections.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/9/2011 12:55 PM 108289]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [6/2/2009 1:05 PM 53248]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [11/21/2008 3:11 AM 12560]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2/18/2008 5:14 PM 105216]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2/8/2008 1:00 PM 59264]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 10:05 AM 14904]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [3/6/2008 5:10 PM 106496]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [4/10/2007 2:03 PM 72576]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [1/12/2007 5:26 PM 102144]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-06-02 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: bmnet.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 12:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2371505810-386603452-1313754912-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\tvt_gina.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\ACNewBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
- - - - - - - > 'lsass.exe'(1196)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\windows\system32\bmnet.dll
.
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-04-27 12:16:25
ComboFix-quarantined-files.txt 2011-04-27 16:16
.
Pre-Run: 76,076,908,544 bytes free
Post-Run: 76,076,285,952 bytes free
.
- - End Of File - - 504756866737163B54D844D4386070D5

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 27 April 2011 - 12:08 PM

Please try to run this instead.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 27 April 2011 - 02:09 PM

Hello,

ran TDSSKiller.exe from Desktop, nothing found. Logfile contents posted below-

Thanks,
Bryan

TDSSKiller.2.4.21.0_27.04.2011_15.01.02_log.txt:
------
2011/04/27 15:01:02.0296 2116 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/27 15:01:02.0375 2116 ================================================================================
2011/04/27 15:01:02.0375 2116 SystemInfo:
2011/04/27 15:01:02.0375 2116
2011/04/27 15:01:02.0375 2116 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/27 15:01:02.0375 2116 Product type: Workstation
2011/04/27 15:01:02.0375 2116 ComputerName: T60P-L34P86C
2011/04/27 15:01:02.0375 2116 UserName: Daimyo
2011/04/27 15:01:02.0375 2116 Windows directory: C:\WINDOWS
2011/04/27 15:01:02.0375 2116 System windows directory: C:\WINDOWS
2011/04/27 15:01:02.0375 2116 Processor architecture: Intel x86
2011/04/27 15:01:02.0375 2116 Number of processors: 2
2011/04/27 15:01:02.0375 2116 Page size: 0x1000
2011/04/27 15:01:02.0375 2116 Boot type: Normal boot
2011/04/27 15:01:02.0375 2116 ================================================================================
2011/04/27 15:01:02.0578 2116 Initialize success
2011/04/27 15:01:04.0718 2652 ================================================================================
2011/04/27 15:01:04.0718 2652 Scan started
2011/04/27 15:01:04.0718 2652 Mode: Manual;
2011/04/27 15:01:04.0718 2652 ================================================================================
2011/04/27 15:01:05.0687 2652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/27 15:01:05.0718 2652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/27 15:01:05.0843 2652 ADIHdAudAddService (beee84a79710f705864685b05f1bb172) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/04/27 15:01:05.0921 2652 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/04/27 15:01:05.0937 2652 AEAudioService (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/04/27 15:01:06.0000 2652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/27 15:01:06.0093 2652 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/27 15:01:06.0218 2652 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
2011/04/27 15:01:06.0328 2652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/27 15:01:06.0359 2652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/27 15:01:06.0609 2652 ati2mtag (2b6f1b90dd34910f329b5a655140032b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/27 15:01:06.0750 2652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/27 15:01:06.0796 2652 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
2011/04/27 15:01:06.0843 2652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/27 15:01:06.0921 2652 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/04/27 15:01:07.0031 2652 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/04/27 15:01:07.0078 2652 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/04/27 15:01:07.0125 2652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/27 15:01:07.0203 2652 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
2011/04/27 15:01:07.0296 2652 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/04/27 15:01:07.0359 2652 BTKRNL (cf47c53d294abcb5159b02b68b37ba89) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/04/27 15:01:07.0421 2652 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/04/27 15:01:07.0625 2652 BTWUSB (6b622612fe21b59faee2ca4385959778) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/04/27 15:01:07.0812 2652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/27 15:01:07.0937 2652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/27 15:01:07.0984 2652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/27 15:01:08.0015 2652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/27 15:01:08.0078 2652 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/27 15:01:08.0109 2652 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/27 15:01:08.0203 2652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/27 15:01:08.0265 2652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/27 15:01:08.0390 2652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/27 15:01:08.0421 2652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/27 15:01:08.0468 2652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/27 15:01:08.0515 2652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/27 15:01:08.0562 2652 e1express (27f19c1cd70ebe00817c1eefc5239de1) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/04/27 15:01:08.0625 2652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/27 15:01:08.0687 2652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/27 15:01:08.0812 2652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/27 15:01:08.0828 2652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/27 15:01:08.0859 2652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/27 15:01:08.0906 2652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/27 15:01:08.0921 2652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/27 15:01:08.0968 2652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/27 15:01:09.0015 2652 GT72NDISIPXP (74e63e39614d7abfa16fdf268d55aade) C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys
2011/04/27 15:01:09.0062 2652 GT72UBUS (2840bf7e42717d7927fe61985546eb6e) C:\WINDOWS\system32\DRIVERS\gt72ubus.sys
2011/04/27 15:01:09.0125 2652 GTPTSER (346ddaefa04e49ad804ee12d4baa0ed3) C:\WINDOWS\system32\DRIVERS\gtptser.sys
2011/04/27 15:01:09.0281 2652 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/27 15:01:09.0343 2652 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/27 15:01:09.0421 2652 HSFHWAZL (0aaef566e6782957252fa79f566fbc0b) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/27 15:01:09.0468 2652 HSF_DPV (e472e0cb4e716cc34c0e045f2c196221) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/27 15:01:09.0625 2652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/27 15:01:09.0703 2652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/27 15:01:09.0765 2652 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2011/04/27 15:01:09.0781 2652 IBMPMDRV (bf648877413f6160e480814a24942b65) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/04/27 15:01:09.0843 2652 IBMTPCHK (3a7dbe81ec5edb96a0a61c7d4af3198d) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
2011/04/27 15:01:09.0937 2652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/27 15:01:10.0015 2652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/27 15:01:10.0062 2652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/27 15:01:10.0078 2652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/27 15:01:10.0125 2652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/27 15:01:10.0156 2652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/27 15:01:10.0218 2652 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/04/27 15:01:10.0328 2652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/27 15:01:10.0375 2652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/27 15:01:10.0406 2652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/27 15:01:10.0437 2652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/27 15:01:10.0484 2652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/27 15:01:10.0562 2652 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/27 15:01:10.0609 2652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/27 15:01:10.0750 2652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/27 15:01:10.0781 2652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/27 15:01:10.0828 2652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/27 15:01:10.0890 2652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/27 15:01:10.0921 2652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/27 15:01:10.0984 2652 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/27 15:01:11.0078 2652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/27 15:01:11.0125 2652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/27 15:01:11.0140 2652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/27 15:01:11.0171 2652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/27 15:01:11.0218 2652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/27 15:01:11.0234 2652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/27 15:01:11.0265 2652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/27 15:01:11.0312 2652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/27 15:01:11.0437 2652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/27 15:01:11.0453 2652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/27 15:01:11.0484 2652 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/27 15:01:11.0531 2652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/27 15:01:11.0578 2652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/27 15:01:11.0765 2652 NETw5x32 (ccdb8db66acd3c0a6c8e171b79f60ac4) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/04/27 15:01:12.0031 2652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/27 15:01:12.0078 2652 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
2011/04/27 15:01:12.0125 2652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/27 15:01:12.0296 2652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/27 15:01:12.0328 2652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/27 15:01:12.0343 2652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/27 15:01:12.0390 2652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/27 15:01:12.0406 2652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/27 15:01:12.0421 2652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/27 15:01:12.0468 2652 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
2011/04/27 15:01:12.0515 2652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/27 15:01:12.0656 2652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/27 15:01:12.0671 2652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/27 15:01:12.0734 2652 PCTINDIS5 (351bd8c80b2c411ea5a122fcfed4d7c8) C:\WINDOWS\system32\PCTINDIS5.SYS
2011/04/27 15:01:12.0906 2652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/27 15:01:12.0937 2652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/27 15:01:12.0984 2652 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
2011/04/27 15:01:13.0093 2652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/27 15:01:13.0125 2652 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/27 15:01:13.0250 2652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/27 15:01:13.0265 2652 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/04/27 15:01:13.0296 2652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/27 15:01:13.0312 2652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/27 15:01:13.0328 2652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/27 15:01:13.0375 2652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/27 15:01:13.0390 2652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/27 15:01:13.0421 2652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/27 15:01:13.0468 2652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/27 15:01:13.0656 2652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/27 15:01:13.0718 2652 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/04/27 15:01:13.0750 2652 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/04/27 15:01:13.0828 2652 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/04/27 15:01:13.0890 2652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/27 15:01:13.0921 2652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/27 15:01:14.0062 2652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/04/27 15:01:14.0203 2652 smihlp (2a348e2292eb57775787ec4be7622715) C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
2011/04/27 15:01:14.0265 2652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/27 15:01:14.0390 2652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/27 15:01:14.0437 2652 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/27 15:01:14.0484 2652 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/04/27 15:01:14.0531 2652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/27 15:01:14.0546 2652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/27 15:01:14.0609 2652 swmsflt (57bbaef27dc790160245b43eb6dcd576) C:\WINDOWS\System32\drivers\swmsflt.sys
2011/04/27 15:01:14.0640 2652 swmx01 (92bf7bf0774c4fd07bcd589ca702c2e2) C:\WINDOWS\system32\DRIVERS\swmx01.sys
2011/04/27 15:01:14.0781 2652 SWNC5E01 (7390c1889dbf097e2e9a1130e5c57191) C:\WINDOWS\system32\DRIVERS\SWNC5E01.sys
2011/04/27 15:01:14.0953 2652 SynTP (31801b16a0da62afa55e49f1e4c16045) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/04/27 15:01:15.0015 2652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/27 15:01:15.0093 2652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/27 15:01:15.0218 2652 tcpipBM (6bad45e4c857e85b53c055e2614f0ca7) C:\WINDOWS\system32\drivers\tcpipBM.sys
2011/04/27 15:01:15.0281 2652 TcUsb (d623a84feaf092ab2fcfbf68d194a3df) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/04/27 15:01:15.0328 2652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/27 15:01:15.0359 2652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/27 15:01:15.0390 2652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/27 15:01:15.0562 2652 TPHKDRV (8aef2188630f5ecd79ad9abba630630b) C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys
2011/04/27 15:01:15.0593 2652 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\system32\drivers\Tppwrif.sys
2011/04/27 15:01:15.0625 2652 TSMAPIP (f2aba3066d7921d7fcdbd66dea88be11) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2011/04/27 15:01:15.0656 2652 TwoTrack (17687545f77a648af7f9f1064eb61191) C:\WINDOWS\system32\DRIVERS\TwoTrack.sys
2011/04/27 15:01:15.0703 2652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/27 15:01:15.0781 2652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/27 15:01:15.0906 2652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/27 15:01:15.0937 2652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/27 15:01:15.0984 2652 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/27 15:01:16.0031 2652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/27 15:01:16.0062 2652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/27 15:01:16.0109 2652 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/27 15:01:16.0234 2652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/27 15:01:16.0296 2652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/27 15:01:16.0328 2652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/27 15:01:16.0375 2652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/27 15:01:16.0453 2652 winachsf (0e666ac2766f2fd860cc03f405a2ace1) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/27 15:01:16.0703 2652 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/04/27 15:01:16.0890 2652 ================================================================================
2011/04/27 15:01:16.0890 2652 Scan finished
2011/04/27 15:01:16.0890 2652 ================================================================================
2011/04/27 15:01:28.0656 1712 Deinitialize success
====



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 27 April 2011 - 02:45 PM

How are things running at this point?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 27 April 2011 - 08:00 PM



It has been running well so far Thanks. No redirections and generally CPU utilization & memory usage by internet browsers is seeming lower.
I did not have much time earlier to look up things on google but the two times i did none of the result links redirected.
(I will probably be trying to look up more things tomorrow , Friday at the latest {inevitably}; will report .)


However, earlier this afternoon Maleware Bytes picked up (one of the files backed up by ComboFix using System Restore? yesterday):

from mbam-log-2011-04-27 (15-55-46).txt
Files Infected:
c:\system volume information\_restore{74ef66a5-570f-49ec-9fe2-dd36c7d96bd4}\rp369\a0036574.sys (Rootkit.Patch) -> Quarantined and deleted successfully.

When it hit that it also set off Avira Anti Vir which also quarantined and changed the name of it (twice) while MB was waiting for response from me.

4/27/2011 15:37 [Guard] Malware found
Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\System Volume Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP369\A0036574.sys.
Action performed: Move file to quarantine
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4de870d8.qua


4/27/2011 15:37 [Guard] Malware found
Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\System Volume Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP369\A0036574.sys.
Action performed: Move file to quarantine
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4de870e2.qua

Have restarted once on prompting of Malware Bytes on deletion. Nothing unseemly since so far.

Thank You,
Bryan


AviraEventsSubset-DetectionsAndExceptionsTo042711:
--
Exported events:


4/27/2011 15:37 [Guard] Malware found
Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP369\A0036574.sys.
Action performed: Move file to quarantine


4/27/2011 15:37 [Guard] Malware found
Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP369\A0036574.sys.
Action performed: Move file to quarantine


4/26/2011 19:03 [Guard] Malware found
Virus or unwanted program 'TR/Patched.Gen [trojan]'
detected in file 'C:\Qoobox\32788R22FWJFW\volsnap.sys.
Action performed: Allow access


4/26/2011 18:27 [Guard] Malware found
Virus or unwanted program 'Eicar-Test-Signature [virus]'
detected in file 'C:\ComboFix\N_\Av-test.txt.
Action performed: Allow access


4/26/2011 18:27 [Guard] Malware found
Virus or unwanted program 'Eicar-Test-Signature [virus]'
detected in file 'C:\Documents and Settings\Administrator\Local
Settings\Temp\Av-test.txt.
Action performed: Allow access


4/22/2011 12:55 [Updater] Update not carried out
The update of T60P-L34P86C (127.0.0.1) from
http://perspeak.avira-update.com/update failed.
An error occurred during downloading
No new files were loaded.


4/20/2011 12:54 [Updater] Update not carried out
The update of T60P-L34P86C (127.0.0.1) from
http://perspeak.avira-update.com/update failed.
An error occurred during downloading
No new files were loaded.


4/19/2011 11:15 [Updater] Update not carried out
The update of T60P-L34P86C (127.0.0.1) from
http://perspeak.avira-update.com/update failed.
An error occurred during downloading
No new files were loaded.


4/18/2011 12:59 [Guard] Malware found
Virus or unwanted program 'TR/Kazy.18407.2 [trojan]'
detected in file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP351\A0033278.exe.
Action performed: Delete file


4/17/2011 20:33 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 0
Number of folders: 0
Number of malware: 0
Number of errors: 0


4/17/2011 20:19 [Updater] Update not carried out
The update of T60P-L34P86C (127.0.0.1) from
http://perspeak.avira-update.com/update failed.
An error occurred during downloading
No new files were loaded.


4/16/2011 20:06 [Updater] Update not carried out
The update of T60P-L34P86C (127.0.0.1) from
http://perspeak.avira-update.com/update failed.
An error occurred during downloading
No new files were loaded.


4/13/2011 9:44 [Guard] Malware found
Virus or unwanted program 'TR/Kazy.18407.2 [trojan]'
detected in file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP351\A0033278.exe.
Action performed: Deny access


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\WINDOWS\system32\dll.dll'
contained a virus or unwanted program 'TR/Lukicsel.G' [trojan]
Action(s) taken:
The file was moved to '4e0ce911.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\WINDOWS\msv1_0.VIR'
contained a virus or unwanted program 'TR/Spy.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file was moved to '4f6e0ed7.qua'!


4/9/2011 19:15 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 565070
Number of folders: 7387
Number of malware: 17
Number of errors: 3


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\WINDOWS\system32\drivers\4841F0.sys'
contained a virus or unwanted program 'TR/Dldr.Peltpox.A' [trojan]
Action(s) taken:
The file was moved to '4dd4e8dd.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP295\A0026954.dll'
contained a virus or unwanted program 'TR/ExeDot.eau' [trojan]
Action(s) taken:
The file was moved to '4dd0e8d3.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP274\A0025871.dll'
contained a virus or unwanted program 'TR/ExeDot.eau' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.
Error in ARK library.
The file is scheduled for deleting after reboot.


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP351\A0033280.exe'
contained a virus or unwanted program 'TR/Trash.Gen' [trojan]
Action(s) taken:
The file was moved to '49cd4e04.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{74EF66A5-570F-49EC-9FE2-DD36C7D96BD4}\RP341\A0031294.dll'
contained a virus or unwanted program 'TR/Evadiped.A.2' [trojan]
Action(s) taken:
The file was moved to '49cc77dc.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\Program Files\Shared\shared.dll'
contained a virus or unwanted program 'TR/BHO.Gen' [trojan]
Action(s) taken:
The file was moved to '4e01e8f5.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\Program Files\Shared\lib.dll'
contained a virus or unwanted program 'ADWARE/Agent.323597.9' [adware]
Action(s) taken:
The file was moved to '4e02e8f6.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\Program Files\Shared\_shared.dll'
contained a virus or unwanted program 'TR/BHO.Gen' [trojan]
Action(s) taken:
The file was moved to '4e08e900.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\Program Files\Shared\_lib.dll'
contained a virus or unwanted program 'ADWARE/Agent.323597.9' [adware]
Action(s) taken:
The file was moved to '4e09e8f9.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Application
Data\Sun\Java\Deployment\cache\6.0\46\6dbca9ae-6c15db3d'
contained a virus or unwanted program 'JAVA/Exdoer.BC.3' [virus]
Action(s) taken:
The file was moved to '4e02e8f0.qua'!


4/9/2011 19:15 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Application
Data\Sun\Java\Deployment\cache\6.0\8\7c997f08-2d472d1c'
contained a virus or unwanted program 'JAVA/Agent.JG' [virus]
Action(s) taken:
The file was moved to '4dd9e8ef.qua'!


4/9/2011 17:58 [Scheduler] Job started
The job "Complete system scan"
was started successfully.


4/9/2011 17:56 [Guard] Malware found
Virus or unwanted program 'TR/Spy.Gen [trojan]'
detected in file 'C:\WINDOWS\msv1_0.dll.
Action performed: Rename file


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Malware found
Virus or unwanted program 'TR/Spy.Gen [trojan]'
detected in file 'C:\WINDOWS\msv1_0.dll.
Action performed: Delete file


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Malware found
Virus or unwanted program 'TR/Spy.Gen [trojan]'
detected in file 'C:\WINDOWS\msv1_0.dll.
Action performed: Delete file


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Malware found
Virus or unwanted program 'TR/Spy.Gen [trojan]'
detected in file 'C:\WINDOWS\msv1_0.dll.
Action performed: Delete file


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Malware found
Virus or unwanted program 'TR/Spy.Gen [trojan]'
detected in file 'C:\WINDOWS\msv1_0.dll.
Action performed: Delete file


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:55 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:54 [Guard] Malware found
Virus or unwanted program 'TR/Spy.Gen [trojan]'
detected in file 'C:\WINDOWS\msv1_0.dll.
Action performed: Delete file


4/9/2011 17:54 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:54 [Guard] Error detected
Error detected in AntiVir Guard.
Error message: Action failed for file: C:\WINDOWS\msv1_0.dll
Error code: [0x00000005 - Access is denied.].


4/9/2011 17:19 [Updater] Update not carried out
The update of T60P-L34P86C (127.0.0.1) from
http://perspeak.avira-update.com/update failed.
An error occurred during downloading
No new files were loaded.


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet
Files\Content.IE5\IJ2L4N67\CAOVWNGL.php%253Fen%253DCP1252%2526v%253D1%26r%3D0,fe
aeb9fe-477a-11e0-af98-001b24936226'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
The file was moved to '4defcd39.qua'!


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\VNCDR05G\quixsurf[2].htm'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
The file was moved to '4e09cd6d.qua'!


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\6P8RATCD\quixsurf[1].htm'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\DBQD37HP\CA8L63UZ.htm'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26004.
The source file could not be found.
Attempting to perform action using the ARK library.


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet
Files\Content.IE5\YE79H7XV\CAH1OM6A.php%253Fen%253DCP1252%2526v%253D1%26r%3D0,29
e97d36-477e-11e0-a201-001e6837e3e3'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
The file was moved to '4de8cd39.qua'!


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\ZM5K9BFR\CA90VGU5.htm'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
The file was moved to '4dd9cd39.qua'!


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\Y97WHS3A\qseg[1].htm'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
The file was moved to '4e05cd6b.qua'!


4/9/2011 17:17 [Scanner] Malware found
The file 'C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\YE79H7XV\CAA2FF5W.htm'
contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
Action(s) taken:
The file was moved to '4de1cd39.qua'!


4/9/2011 17:08 [Guard] Malware found
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files\Content.IE5\DBQD37HP\CA8L63UZ.htm.
Action performed: Delete file


4/9/2011 15:49 [Guard] Malware found
Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files\Content.IE5\6P8RATCD\quixsurf[1].htm.
Action performed: Delete file


4/9/2011 13:10 [Scheduler] Job started
The job "Complete system scan"
was started successfully.


4/9/2011 13:09 [Updater] Update not carried out
The update of T60P-L34P86C (166.214.39.170) from http://80.190.143.242/update
failed.
No valid license
No new files were loaded.


===

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 28 April 2011 - 04:08 AM

That all looks good. Those detections are just quarantined items and avira detects them because it scans what is accessed by MBAM.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 25 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select the appropriate download for your version of Windows:
    • Select "Windows x86 Offline" and click on jre-6u25-windows-i586.exe
    • Select "Windows x64" and click on jre-6u25-windows-x64.exe
    • Select "Windows Intel Itanium" and click on jre-6u25-windows-ia64.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 BryanBlack

BryanBlack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 28 April 2011 - 12:01 PM

Ok , Doing those now .

Should I also let the MS updates that I have waiting install and install the latest version of Flash player (I uninstalled it a few days after the problems started and have not put the new one on to keep the environment stable during problem resolution, despite many site's prompting. 75 % of them don't seem to fail on anything so, maybe the rest are just for their advertising sadly... not missing all that.)


Thank You,
Bryan Black

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 28 April 2011 - 01:15 PM

Yes, you can install those. I'll wait for the results of the ESET scan.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users