Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Horse PSW Onlinegames (amvo.exe infection)

Started by cirej , Mar 19 2008 04:40 AM

Please log in to reply

#1
cirej

Posted 19 March 2008 - 04:40 AM

Member

Member
18 posts

Hi I;m new here and I hope someone could help me

My computer become slower and I noticed is when I go to My computer and click on C: it was always opened in another window even though I have the option checked "Open in same window".
The next weird thing was hidden files and folders.. even if I have checked "show hidden files" it still didnt showed them.
And when I try to log-in on an online game Ragnarok online my keyboard was un-installed...

Thank you in advance for help... I already download and run the combofix and below is the log file copy..

ComboFix 08-03-18.1 - jerionmari 2008-03-19 18:25:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.579 [GMT 8:00]
Running from: C:\Documents and Settings\jerionmari\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 18:06 . 2008-03-19 18:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-19 18:06 . 2008-03-19 18:06 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-19 18:06 . 2008-03-19 18:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-19 18:06 . 2008-03-19 18:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-19 18:06 . 2008-03-19 18:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-19 11:36 . 2008-03-19 11:35 99,735 -r-hs---- C:\h6o0re.cmd
2008-03-19 00:41 . 2008-03-19 00:41 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-16 11:57 . 2008-03-18 00:01 100,836 -r-hs---- C:\3o.exe
2008-03-15 10:14 . 2008-03-15 10:14 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-15 10:13 . 2008-03-15 10:13 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-15 10:13 . 2008-03-15 10:13 <DIR> d-------- C:\Program Files\Ahead
2008-03-15 10:13 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-03-15 10:13 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-03-15 10:13 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-03-15 10:13 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-03-15 10:13 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-15 10:13 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-15 10:07 . 2008-03-15 10:07 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-15 10:06 . 2008-03-15 10:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-15 10:06 . 2008-03-15 10:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-15 10:06 . 2008-03-15 10:06 <DIR> d-------- C:\a19a70a474e0d07f4bbe
2008-03-15 09:52 . 2008-03-15 09:52 101,166 -r-hs---- C:\cfdflx.com
2008-03-12 11:42 . 2008-03-12 21:37 100,791 -r-hs---- C:\v.cmd
2008-03-11 23:47 . 2008-03-12 09:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-11 23:47 . 2008-03-11 23:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-11 16:00 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-03-11 16:00 . 2004-08-03 23:10 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-03-11 16:00 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-03-11 16:00 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-03-11 16:00 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-03-11 16:00 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-03-11 12:51 . 2008-03-11 12:51 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-10 22:13 . 2008-03-11 10:37 103,034 -r-hs---- C:\b.com
2008-03-06 09:32 . 2008-03-06 09:32 <DIR> d-------- C:\Program Files\NetGames
2008-03-06 09:28 . 2008-03-16 20:20 35 --a------ C:\WINDOWS\Ulead32.INI
2008-03-06 09:26 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-06 09:26 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-06 09:20 . 2008-03-06 09:20 <DIR> d-------- C:\Program Files\Microtek
2008-03-06 09:20 . 2008-03-06 09:20 <DIR> d-------- C:\Kpcms
2008-03-06 09:20 . 1998-09-14 08:41 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys
2008-03-06 09:20 . 1998-08-01 12:00 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys
2008-03-06 09:20 . 2003-06-11 12:03 15,396 --a------ C:\WINDOWS\system32\Msmusd5.dll
2008-03-06 09:20 . 2001-06-20 15:44 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll
2008-03-06 09:20 . 2003-07-17 16:12 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll
2008-03-06 09:20 . 1997-02-14 13:10 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys
2008-03-06 01:44 . 2008-03-10 22:10 <DIR> d-------- C:\Program Files\Google
2008-03-06 01:44 . 2008-03-06 01:44 <DIR> d-------- C:\Program Files\DivX
2008-03-05 17:56 . 2008-03-05 17:56 <DIR> d-------- C:\Program Files\Dragonfly
2008-03-05 17:56 . 2008-03-05 17:56 <DIR> d-------- C:\Documents and Settings\jerionmari\Application Data\InstallShield
2008-03-05 17:55 . 2008-03-05 17:55 <DIR> d-------- C:\Program Files\uTorrent
2008-03-05 17:55 . 2008-03-15 21:03 <DIR> d-------- C:\Documents and Settings\jerionmari\Application Data\uTorrent
2008-03-05 17:49 . 2008-03-05 17:49 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-03-05 17:49 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-05 17:49 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-03-05 17:49 . 2007-05-14 15:24 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2008-03-05 17:49 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-05 17:49 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-03-05 17:49 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-03-05 17:49 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-03-05 17:49 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-03-05 17:49 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-03-05 17:49 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-03-05 17:48 . 2008-03-05 17:48 <DIR> d-------- C:\Program Files\eRightSoft
2008-03-05 16:26 . 2004-08-04 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-05 16:02 . 2008-03-06 00:19 <DIR> d-------- C:\Program Files\Java
2008-03-05 16:02 . 2008-03-05 17:47 <DIR> d-------- C:\Documents and Settings\jerionmari\Application Data\LimeWire
2008-03-05 16:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-05 15:59 . 2008-03-05 16:02 <DIR> d-------- C:\Program Files\LimeWire
2008-03-05 15:59 . 2008-03-05 15:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-05 15:10 . 2008-03-05 15:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-05 15:01 . 2008-03-05 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UDL
2008-03-05 14:58 . 2008-03-05 15:00 <DIR> d-------- C:\Program Files\EPSON
2008-03-05 14:58 . 2006-03-03 00:04 73,216 --a------ C:\WINDOWS\system32\E_FLBBHP.DLL
2008-03-05 14:58 . 2005-04-11 00:01 62,976 --a------ C:\WINDOWS\system32\E_FD4BBHP.DLL
2008-03-05 14:58 . 2004-09-10 19:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2008-03-05 14:58 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-05 14:58 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-05 14:57 . 2008-03-05 14:59 241,033 --a------ C:\WINDOWS\EPSTPLOG.BAK
2008-03-05 14:35 . 2008-03-16 10:29 64 --a------ C:\WINDOWS\option.ini
2008-03-05 13:44 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-05 13:37 . 2008-03-19 11:57 <DIR> d-------- C:\Program Files\Tales of Pirates Online
2008-03-05 13:35 . 2008-03-05 13:35 <DIR> d-------- C:\Program Files\Softnyx
2008-03-05 13:26 . 2003-07-21 02:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-03-05 13:26 . 2005-01-04 17:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-03-05 13:06 . 2008-03-05 13:06 <DIR> d-------- C:\Program Files\Gravity
2008-03-05 13:00 . 2008-03-05 13:00 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-05 12:58 . 2008-03-05 12:58 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-05 12:57 . 2008-03-05 12:57 <DIR> d-------- C:\Documents and Settings\jerionmari\Application Data\Microsoft Web Folders
2008-03-05 12:50 . 2008-03-05 15:07 <DIR> d-------- C:\Program Files\e-Games
2008-03-05 12:14 . 2008-03-05 12:14 <DIR> d-------- C:\Documents and Settings\jerionmari\Application Data\Grisoft
2008-03-05 12:12 . 2008-03-05 12:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 12:12 . 2008-03-19 16:57 <DIR> d-------- C:\Documents and Settings\jerionmari\Application Data\AVG7
2008-03-05 12:12 . 2008-03-16 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 12:12 . 2008-03-05 12:12 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-05 12:12 . 2008-03-05 12:12 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-05 12:11 . 2008-03-05 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 12:11 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 11:10 . 2008-03-05 11:10 <DIR> d--hs---- C:\Documents and Settings\jerionmari\UserData
2008-03-05 11:07 . 2004-08-11 13:32 183,987 --a------ C:\WINDOWS\system32\drivers\VVBackd5.sys
2008-03-05 11:07 . 2003-12-20 19:07 45,056 -ra------ C:\WINDOWS\DxpAppEx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 01:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 07:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-05 04:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-05 03:05 56 ----a-w C:\Program Files\Common Files\appop.log
2008-03-05 02:56 --------- d-----w C:\Program Files\Realtek
2008-03-05 02:47 --------- d-----w C:\Program Files\MSXML 4.0
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 09:51 14864384 C:\WINDOWS\RTHDCPL.EXE]
"RestoreIT!"="C:\Program Files\FarStone\RestoreIT\RestoreIT_XP\VBPTASK.exe" [2005-04-29 20:39 122880]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-05 12:12 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 12:12 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-03-06 09:20:54 335872]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C59 Series]
--a------ 2006-02-23 03:00 131072 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farstone]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
--a------ 2005-04-29 19:50 278528 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Gravity\\RagnarokOnline\\valkyrie.exe"=

R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 06:29]
R0 RITFSD;RITFSD;C:\WINDOWS\system32\drivers\RITFSD.sys [2004-12-02 13:19]
R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2004-08-11 13:32]
R2 Rcfilter;Rcfilter;C:\WINDOWS\system32\drivers\Rcfilter.sys [2004-12-02 13:17]
R3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys [2004-08-03 14:08]
S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-01-12 20:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a717d25-ea70-11dc-93d7-0016763c047e}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - utdetect.com
\Shell\open\Command - utdetect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c68a622-f4d5-11dc-9409-0016763c047e}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8d04a0-ea8a-11dc-93dc-0016763c047e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe
\Shell\Explore\Command - Desktop.exe
\Shell\Open\Command - Desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8d04a6-ea8a-11dc-93dc-0016763c047e}]
\Shell\Autoplay\Command - F:\xmss.exe
\Shell\AutoRun\command - F:\xmss.exe
\Shell\Explore\Command - F:\xmss.exe
\Shell\Open\Command - F:\xmss.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 18:27:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 18:27:33
ComboFix-quarantined-files.txt 2008-03-19 10:27:31
.
2008-03-16 01:55:33 --- E O F ---

Edited by cirej, 19 March 2008 - 04:42 AM.

#2
cirej

Posted 20 March 2008 - 12:33 AM

Member

Topic Starter
Member
18 posts

Adding Deckard's System Scanner

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.66GHz
CPU 1: Intel® Pentium® D CPU 2.66GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 894.48 MiB / 531.31 MiB
Pagefile Memory (total/avail): 2167.56 MiB / 1827.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1902.82 MiB

A: is Removable (No Media)
B: is Fixed (Unformatted) - 0 GiB total, 0 GiB free.
C: is Fixed (NTFS) - 40.73 GiB total, 25.62 GiB free.
D: is Fixed (NTFS) - 126.96 GiB total, 1.88 GiB free.
E: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - ST3200827AS - 186.31 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 40.73 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 126.96 GiB - D:
\PARTITION2 - Unknown - 18.62 GiB

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Gravity\\RagnarokOnline\\valkyrie.exe"="C:\\Program Files\\Gravity\\RagnarokOnline\\valkyrie.exe:*:Enabled:Valkyrie"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jerionmari\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JERION
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jerionmari
LOGONSERVER=\\JERION
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JERION~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JERION~1\LOCALS~1\Temp
USERDOMAIN=JERION
USERNAME=jerionmari
USERPROFILE=C:\Documents and Settings\jerionmari
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

jerionmari (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
--> "C:\Program Files\InstallShield Installation Information\{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}\setup.exe" --u:{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40602E2C-AB5C-4887-8093-3BFE5B8B95B3}\setup.exe" REMOVEALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC69DDB8-4840-4D9B-BB31-0D4DB2BA1312}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
ESC58_59 User's Guide --> C:\Program Files\EPSON\TPMANUAL\ESC58_59\ENG\USE_G\DOCUNINS.EXE
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InterVideo MediaOne --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AEEE6D6-C95D-465A-B8D3-B7AE2FA7B8B4}\setup.exe" REMOVEALL
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microtek FineReader OCR Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{345C90FB-FA10-11D5-9C2A-0080C85A0C2D}\setup.exe"
Mobius Rakion --> "C:\Program Files\Softnyx\Rakion\unins000.exe"
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setup.exe /uninstall ExtraUninstallID=""
O2Jam_PH --> "C:\Program Files\e-Games\O2Jam_PH\uninstall.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
RagnarokOnline --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C2BE6E4E-9041-4DA0-9E18-DA42CEB05A18}\setup.exe" -l0x9 -removeonly
Ran Online 3.0.2.1 --> "C:\Program Files\e-Games\Ran Online\uninstall.exe"
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RtlUpd.exe -r
RestoreIT --> C:\Program Files\FarStone\RestoreIT\RestoreIT_XP\un_vback.exe
ScanWizard 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B08D262E-D902-11D5-9C28-0080C85A0C2D}\setup.exe"
Special Force --> C:\Program Files\InstallShield Installation Information\{8ADE24B2-DCA4-4A1E-8B52-A5B435522D9E}\setup.exe -runfromtemp -l0x0009 -removeonly
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPER © Version 2007.bld.23 (July 4, 2007) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
Tales of Pirates Online 1.33 --> "C:\Program Files\Tales of Pirates Online\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type378 / Error
Event Submitted/Written: 03/20/2008 00:40:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application scanwizard5.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x011b3ca8.
Processing media-specific event for [scanwizard5.exe!ws!]

Event Record #/Type354 / Error
Event Submitted/Written: 03/19/2008 00:42:49 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type353 / Error
Event Submitted/Written: 03/19/2008 00:42:48 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type344 / Error
Event Submitted/Written: 03/18/2008 02:33:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ScanWizard5.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type343 / Error
Event Submitted/Written: 03/18/2008 02:32:06 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ScannerFinder.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type3647 / Warning
Event Submitted/Written: 03/20/2008 02:30:50 PM
Event ID/Source: 51 / ivicd
Event Description:
\Device\IviFilte

Event Record #/Type3646 / Warning
Event Submitted/Written: 03/20/2008 02:30:50 PM
Event ID/Source: 51 / ivicd
Event Description:
\Device\IviFilte

Event Record #/Type3641 / Warning
Event Submitted/Written: 03/20/2008 01:47:12 PM / 03/20/2008 01:47:15 PM
Event ID/Source: 51 / ivicd
Event Description:
\Device\IviFilte

Event Record #/Type3640 / Warning
Event Submitted/Written: 03/20/2008 01:47:12 PM / 03/20/2008 01:47:15 PM
Event ID/Source: 51 / ivicd
Event Description:
\Device\IviFilte

Event Record #/Type3639 / Warning
Event Submitted/Written: 03/20/2008 01:47:12 PM / 03/20/2008 01:47:15 PM
Event ID/Source: 51 / ivicd
Event Description:
\Device\IviFilte

-- End of Deckard's System Scanner: finished at 2008-03-20 14:31:03 ------------

#3
cirej

Posted 20 March 2008 - 12:33 AM

Member

Topic Starter
Member
18 posts

MAin Text

Deckard's System Scanner v20071014.68
Run by jerionmari on 2008-03-20 14:28:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
39: 2008-03-20 06:28:50 UTC - RP39 - Deckard's System Scanner Restore Point
38: 2008-03-19 10:25:46 UTC - RP38 - ComboFix created restore point
37: 2008-03-16 01:54:22 UTC - RP37 - Software Distribution Service 3.0
36: 2008-03-15 02:05:27 UTC - RP36 - Software Distribution Service 3.0
35: 2008-03-15 02:02:07 UTC - RP35 - Installed Windows Media Player 11

-- First Restore Point --
1: 2008-03-05 02:43:57 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-20 14:29:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\FarStone\RestoreIT\RestoreIT_XP\vbptask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\jerionmari\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.ph/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT\RestoreIT_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microtek Scanner Finder.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5465 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ivicd (Ivi CDVD Filter Driver) - c:\windows\system32\drivers\ivicd.sys <Not Verified; InterVideo; InterVideo C/DVD Filter Driver>
R0 RITFSD - c:\windows\system32\drivers\ritfsd.sys
R0 VVBackd5 - c:\windows\system32\drivers\vvbackd5.sys
R2 Rcfilter - c:\windows\system32\drivers\rcfilter.sys <Not Verified; FarStone Technology Inc.,; Restore IT!>
R3 exdisk (Express Disk Service) - c:\windows\system32\drivers\exdisk.sys
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 iviudf - c:\windows\system32\drivers\iviudf.sys <Not Verified; InterVideo; UDF File System Driver>
S3 npkcrypt - c:\program files\gravity\ragnarokonline\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-02-20 and 2008-03-20 -----------------------------

2008-03-20 12:26:45 100754 -r-hs---- C:\un9.cmd
2008-03-20 12:25:32 72192 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-03-19 21:07:37 72192 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2008-03-19 21:06:39 100754 -r-hs---- C:\WINDOWS\system32\amvo.exe
2008-03-19 18:49:47 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 18:49:43 0 d-------- C:\Program Files\SpywareBlaster
2008-03-19 18:25:00 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-19 18:25:00 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-19 18:25:00 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-19 18:25:00 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-19 18:06:47 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-19 11:36:09 99735 -r-hs---- C:\h6o0re.cmd
2008-03-18 15:01:37 0 dr-h----- C:\$VAULT$.AVG
2008-03-16 11:57:55 100836 -r-hs---- C:\3o.exe
2008-03-15 10:14:43 0 d-------- C:\Program Files\Common Files\Nero
2008-03-15 10:13:45 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-03-15 10:13:40 471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-03-15 10:13:40 262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-03-15 10:13:40 1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-03-15 10:13:39 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-03-15 10:13:35 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-15 10:13:34 0 d-------- C:\Program Files\Ahead
2008-03-15 10:07:28 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-15 10:06:06 0 d-------- C:\a19a70a474e0d07f4bbe
2008-03-15 10:06:01 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-15 10:06:01 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-15 10:05:37 0 d-------- C:\59653168b3a8a2751c69
2008-03-15 09:52:54 101166 -r-hs---- C:\cfdflx.com
2008-03-12 11:42:38 100791 -r-hs---- C:\v.cmd
2008-03-11 23:47:46 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-11 23:47:38 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-03-11 12:52:42 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Google
2008-03-11 12:51:05 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-03-10 22:16:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-10 22:13:45 103034 -r-hs---- C:\b.com
2008-03-06 09:35:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-03-06 09:32:07 0 d-------- C:\Program Files\NetGames
2008-03-06 09:20:59 60928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys <Not Verified; OnSpec Electronic, Inc.; Microsoft® Windows™ Operating System>
2008-03-06 09:20:59 7680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys
2008-03-06 09:20:59 285216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys
2008-03-06 09:20:57 0 d-------- C:\Kpcms
2008-03-06 09:20:54 13962 --a------ C:\WINDOWS\system32\Msmusd6.dll <Not Verified; Microtek International Inc.; ScanMaker 4600>
2008-03-06 09:20:53 0 d-------- C:\Program Files\Microtek
2008-03-06 01:44:50 0 d-------- C:\Program Files\Google
2008-03-06 01:44:45 0 d-------- C:\Program Files\DivX
2008-03-05 19:20:51 0 d--hs---- C:\WINDOWS\Installer
2008-03-05 19:20:50 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-05 19:20:46 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-05 19:20:45 0 dr------- C:\Program Files
2008-03-05 19:20:45 0 d-------- C:\Program Files\Common Files
2008-03-05 19:20:19 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-05 19:20:19 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-05 19:20:19 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-05 19:20:19 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-05 19:20:19 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-05 19:20:19 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-05 19:20:19 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-05 19:20:19 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-05 19:20:19 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-05 19:20:19 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-05 19:20:19 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-05 19:20:19 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-05 19:20:19 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-05 19:20:19 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-05 19:20:19 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-05 19:20:19 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-05 19:20:05 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-05 19:20:05 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-05 19:20:00 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-05 19:20:00 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-05 19:20:00 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-05 19:20:00 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-05 19:19:33 0 d-------- C:\Documents and Settings
2008-03-05 19:19:32 0 d--hs---- C:\System Volume Information
2008-03-05 19:11:13 0 d-------- C:\WINDOWS
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\WinSxS
2008-03-05 19:11:13 0 dr------- C:\WINDOWS\Web
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\twain_32
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\wins
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\wbem
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\usmt
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\spool
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\Setup
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\ras
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\oobe
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\npp
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\mui
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\IME
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\ias
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\export
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\drivers
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-05 19:11:13 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\config
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\3076
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\2052
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1054
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1042
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1041
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1037
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1033
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1031
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1028
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system32\1025
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\system
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\security
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Resources
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\repair
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Provisioning
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\PeerNet
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\pchealth
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\mui
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\msapps
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\msagent
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Media
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\java
2008-03-05 19:11:13 0 d--h----- C:\WINDOWS\inf
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\ime
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Help
2008-03-05 19:11:13 0 dr--s---- C:\WINDOWS\Fonts
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Driver Cache
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Debug
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Cursors
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\Config
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\AppPatch
2008-03-05 19:11:13 0 d-------- C:\WINDOWS\addins
2008-03-05 17:56:36 0 d-------- C:\Program Files\Dragonfly
2008-03-05 17:56:25 0 d-------- C:\Documents and Settings\jerionmari\Application Data\InstallShield
2008-03-05 17:55:44 0 d-------- C:\Program Files\uTorrent
2008-03-05 17:55:27 0 d-------- C:\Documents and Settings\jerionmari\Application Data\uTorrent
2008-03-05 17:49:16 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-03-05 17:49:16 394240 --a------ C:\WINDOWS\system32\Smab.dll
2008-03-05 17:49:16 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-03-05 17:49:16 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-03-05 17:49:16 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-03-05 17:49:16 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-03-05 17:49:15 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-03-05 17:49:15 217073 --a------ C:\WINDOWS\meta4.exe
2008-03-05 17:49:14 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-05 17:48:57 31232 -r-hs---- C:\WINDOWS\system32\msfDX.dll <Not Verified; Hans Mayerl; msfDX.dll>
2008-03-05 17:48:57 163328 -r-hs---- C:\WINDOWS\system32\flvDX.dll <Not Verified; Gabest; FLV Splitter>
2008-03-05 17:48:53 0 d-------- C:\Program Files\eRightSoft
2008-03-05 16:02:53 0 d-------- C:\Documents and Settings\jerionmari\Application Data\LimeWire
2008-03-05 16:02:13 0 d-------- C:\Program Files\Java
2008-03-05 15:59:50 0 d-------- C:\Program Files\Common Files\Java
2008-03-05 15:59:28 0 d-------- C:\Program Files\LimeWire
2008-03-05 15:10:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-05 15:10:16 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Mozilla
2008-03-05 15:01:05 0 d-------- C:\Documents and Settings\All Users\Application Data\UDL
2008-03-05 14:59:38 495616 --a------ C:\WINDOWS\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-03-05 14:59:38 73728 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-03-05 14:59:38 77824 --a------ C:\WINDOWS\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-03-05 14:59:38 114688 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-03-05 14:59:37 111932 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-03-05 14:59:37 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-03-05 14:59:37 1120 --a------ C:\WINDOWS\system32\EPPICPresetData_IT.dat
2008-03-05 14:59:37 1107 --a------ C:\WINDOWS\system32\EPPICPresetData_GE.dat
2008-03-05 14:59:37 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-03-05 14:59:37 1136 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-03-05 14:59:37 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-03-05 14:59:37 1146 --a------ C:\WINDOWS\system32\EPPICPresetData_DU.dat
2008-03-05 14:59:37 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-03-05 14:59:37 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-03-05 14:59:37 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-03-05 14:59:37 21390 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-03-05 14:59:37 11811 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-03-05 14:59:37 24903 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-03-05 14:59:37 20148 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-03-05 14:59:37 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-03-05 14:59:37 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-03-05 14:59:37 26154 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-03-05 14:59:37 65536 --a------ C:\WINDOWS\system32\EPPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-03-05 14:58:18 0 d-------- C:\Program Files\EPSON
2008-03-05 14:36:36 0 d-------- C:\WINDOWS\network diagnostic
2008-03-05 13:37:54 0 d-------- C:\Program Files\Tales of Pirates Online
2008-03-05 13:35:43 0 d-------- C:\Program Files\Softnyx
2008-03-05 13:26:34 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-03-05 13:06:53 0 d-------- C:\Program Files\Gravity
2008-03-05 12:58:47 0 d-------- C:\WINDOWS\ShellNew
2008-03-05 12:57:41 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Microsoft Web Folders
2008-03-05 12:50:46 0 d-------- C:\Program Files\e-Games
2008-03-05 12:37:44 0 d-------- C:\WINDOWS\pss
2008-03-05 12:14:27 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Grisoft
2008-03-05 12:12:57 0 d-------- C:\Documents and Settings\jerionmari\Application Data\AVG7
2008-03-05 12:12:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 12:12:41 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-05 12:11:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 11:59:11 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Macromedia
2008-03-05 11:59:10 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Adobe
2008-03-05 11:18:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-05 11:10:50 0 d--hs---- C:\Documents and Settings\jerionmari\UserData
2008-03-05 11:07:04 183987 --a------ C:\WINDOWS\system32\drivers\VVBackd5.sys
2008-03-05 11:07:01 33249 -ra------ C:\WINDOWS\system32\drivers\RITFSD.sys
2008-03-05 11:07:01 31872 -ra------ C:\WINDOWS\system32\drivers\Rcfilter.sys <Not Verified; FarStone Technology Inc.,; Restore IT!>
2008-03-05 11:07:01 14074 -ra------ C:\WINDOWS\system32\drivers\exdisk.sys
2008-03-05 11:07:01 45056 -ra------ C:\WINDOWS\DxpAppEx.exe
2008-03-05 11:06:58 49152 -ra------ C:\WINDOWS\system32\HookAPI.dll
2008-03-05 11:06:52 32768 -ra------ C:\WINDOWS\system32\RitShell.dll <Not Verified; ; RitShell Module>
2008-03-05 11:06:43 0 d-------- C:\Program Files\FarStone
2008-03-05 11:04:58 10368 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-03-05 11:04:45 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-03-05 11:04:45 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-03-05 11:04:45 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-03-05 11:04:45 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-03-05 11:04:45 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-03-05 11:04:45 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-03-05 11:03:56 59392 --a------ C:\WINDOWS\system32\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-03-05 11:03:56 5248 -----n--- C:\WINDOWS\system32\drivers\udffsrec.sys
2008-03-05 11:03:56 116224 -----n--- C:\WINDOWS\system32\drivers\IviUdf.sys <Not Verified; InterVideo; UDF File System Driver>
2008-03-05 11:03:56 38784 -----n--- C:\WINDOWS\system32\drivers\ivicd.sys <Not Verified; InterVideo; InterVideo C/DVD Filter Driver>
2008-03-05 11:03:48 10752 -----n--- C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-03-05 11:03:42 26694 --a------ C:\WINDOWS\HWS.exe
2008-03-05 11:03:42 26694 --a------ C:\WINDOWS\HMD.exe
2008-03-05 11:03:42 0 d-------- C:\Program Files\InterVideo
2008-03-05 11:03:42 0 d-------- C:\Documents and Settings\jerionmari\Application Data\InterVideo
2008-03-05 11:01:01 74752 --a------ C:\WINDOWS\system32\drivers\Rtnicxp.sys <Not Verified; Realtek Semiconductor Corporation; Realtek 10/100/1000 NIC Family all in one NDIS Driver>
2008-03-05 11:01:00 0 d-------- C:\WINDOWS\OPTIONS
2008-03-05 11:00:51 0 d-------- C:\WINDOWS\system32\Lang
2008-03-05 10:57:55 40960 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-03-05 10:57:30 0 d-------- C:\WINDOWS\system32\RTCOM
2008-03-05 10:56:32 0 d-------- C:\Program Files\Realtek
2008-03-05 10:56:28 487424 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-03-05 10:54:22 516096 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-05 10:49:46 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-05 10:49:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-05 10:49:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-05 10:47:52 0 d-------- C:\Program Files\MSXML 4.0
2008-03-05 10:47:25 0 d-------- C:\TempEI4
2008-03-05 10:45:09 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-05 10:45:07 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-05 10:43:46 0 d-------- C:\Documents and Settings\jerionmari\Application Data\Identities
2008-03-05 10:43:39 0 d--h----- C:\Documents and Settings\jerionmari\Templates
2008-03-05 10:43:39 0 dr------- C:\Documents and Settings\jerionmari\Start Menu
2008-03-05 10:43:39 0 dr-h----- C:\Documents and Settings\jerionmari\SendTo
2008-03-05 10:43:39 0 dr-h----- C:\Documents and Settings\jerionmari\Recent
2008-03-05 10:43:39 0 d--h----- C:\Documents and Settings\jerionmari\PrintHood
2008-03-05 10:43:39 0 d--h----- C:\Documents and Settings\jerionmari\NetHood
2008-03-05 10:43:39 0 dr------- C:\Documents and Settings\jerionmari\My Documents
2008-03-05 10:43:39 0 d--h----- C:\Documents and Settings\jerionmari\Local Settings
2008-03-05 10:43:39 0 dr------- C:\Documents and Settings\jerionmari\Favorites
2008-03-05 10:43:39 0 d-------- C:\Documents and Settings\jerionmari\Desktop
2008-03-05 10:43:39 0 d--hs---- C:\Documents and Settings\jerionmari\Cookies
2008-03-05 10:43:39 0 d--h----- C:\Documents and Settings\jerionmari\Application Data
2008-03-05 10:43:38 2621440 --ah----- C:\Documents and Settings\jerionmari\NTUSER.DAT
2008-03-05 10:38:50 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-05 10:34:59 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-05 10:34:58 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-05 10:34:58 0 d-------- C:\WINDOWS\Prefetch
2008-03-05 10:34:57 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-05 10:34:57 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-05 10:34:57 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-05 10:34:57 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-05 10:34:57 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-05 10:34:40 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-05 10:34:40 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-05 10:34:40 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-03-05 10:34:40 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-05 10:34:40 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-05 10:31:53 0 d-------- C:\WINDOWS\system32\xircom
2008-03-05 10:31:53 0 d-------- C:\Program Files\microsoft frontpage
2008-03-05 10:31:51 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-05 10:31:45 0 -rahs---- C:\MSDOS.SYS
2008-03-05 10:31:45 0 -rahs---- C:\IO.SYS
2008-03-05 10:31:45 0 --a------ C:\CONFIG.SYS
2008-03-05 10:31:45 0 --a------ C:\AUTOEXEC.BAT
2008-03-05 10:30:55 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-05 10:30:47 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-05 10:30:47 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-05 10:30:36 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-05 10:30:14 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-05 10:29:35 0 d---s---- C:\WINDOWS\Tasks
2008-03-05 10:29:34 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-05 10:29:28 0 d-------- C:\WINDOWS\srchasst
2008-03-05 10:29:27 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-05 10:29:16 0 d-------- C:\Program Files\Movie Maker
2008-03-05 10:29:06 0 d-------- C:\WINDOWS\system32\Restore
2008-03-05 10:28:44 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-05 10:28:30 0 d-------- C:\WINDOWS\Registration
2008-03-05 10:28:03 0 d-------- C:\Program Files\Online Services
2008-03-05 10:27:58 0 d-------- C:\Program Files\Messenger
2008-03-05 10:27:53 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-05 10:27:03 0 d-------- C:\Program Files\Windows NT
2008-03-05 10:26:59 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-05 10:26:57 0 d-------- C:\WINDOWS\system32\Com

-- Find3M Report ---------------------------------------------------------------

2008-03-05 19:20:19 62 --ahs---- C:\Documents and Settings\jerionmari\Application Data\desktop.ini
2008-03-05 11:05:19 56 --a------ C:\Program Files\Common Files\appop.log

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [10/15/2005 09:51 AM C:\WINDOWS\RTHDCPL.EXE]
"RestoreIT!"="C:\Program Files\FarStone\RestoreIT\RestoreIT_XP\VBPTASK.exe" [04/29/2005 08:39 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/05/2008 12:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"amva"="C:\WINDOWS\system32\amvo.exe" [03/20/2008 12:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [3/6/2008 9:20:54 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C59 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE /FU "C:\WINDOWS\TEMP\E_S8A.tmp" /EF "HKLM"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farstone]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
"C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a717d25-ea70-11dc-93d7-0016763c047e}]
AutoRun\command- F:\h6o0re.cmd
explore\Command- F:\h6o0re.cmd
open\Command- F:\h6o0re.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c68a622-f4d5-11dc-9409-0016763c047e}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8d04a0-ea8a-11dc-93dc-0016763c047e}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe
Explore\Command- Desktop.exe
Open\Command- Desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8d04a6-ea8a-11dc-93dc-0016763c047e}]
Autoplay\Command- F:\xmss.exe
AutoRun\command- F:\xmss.exe
Explore\Command- F:\xmss.exe
Open\Command- F:\xmss.exe

-- End of Deckard's System Scanner: finished at 2008-03-20 14:31:03 ------------

#4
cirej

Posted 20 March 2008 - 12:53 AM

Member

Topic Starter
Member
18 posts

Trojan Found associated at amvo.exe
Malware Group: KAVKOP:Trojan-A

What should I do to remove it???

Prevx CSI Log - Version v1.6.104.130

Some non-malicious files are not included in this log.
C:\WINDOWS\System32\smss.exe InMem: 1 Det [G] MD5: BD7FB0957C716F1A60333AEE04DE2178 PX5: 858985AB00B86E2BC60900AD18ED0300AAE1DE66
C:\WINDOWS\system32\ntdll.dll InMem: 1 Det [G] MD5: BB5CBFFC096497506167BCE1D9690EF2 PX5: C67635B000C7EFCCCEC40AD85BC1A300F252F525
C:\WINDOWS\system32\csrss.exe InMem: 1 Det [G] MD5: F12B178B1678D778CFD3FF1FC38C71FB PX5: 915E606100C25A44189F00665DD0AE00C2915516
C:\WINDOWS\system32\CSRSRV.dll InMem: 1 Det [G] MD5: D06EAA8B23BC1F671B11D18CFEA65115 PX5: C955D99B00AD22858091009CE7653300F7E45BAD
C:\WINDOWS\system32\basesrv.dll InMem: 1 Det [G] MD5: 00EF9C3AF83EDBAF18CA7A2837750117 PX5: 7CF7B2D300161694CEE70079FD762A00FD221255
C:\WINDOWS\system32\winsrv.dll InMem: 1 Det [G] MD5: 3D21B3BE0C5768E76FD9780E9CF9E07C PX5: 9F12216B00E243DC788304E70F620200B9651418
C:\WINDOWS\system32\GDI32.dll InMem: 1 Det [G] MD5: 3A0D35E8FB2AB3273558ADAF92FC2F90 PX5: 9D4C6D890038D28A4E82041A7993750075164CE7
C:\WINDOWS\system32\KERNEL32.dll InMem: 1 Det [G] MD5: A01F9CA902A88F7CED06884174D6419D PX5: 0AD652AA00FC1D0C06930F5593CD84002DD65432
C:\WINDOWS\system32\USER32.dll InMem: 1 Det [G] MD5: B409909F6E2E8A7067076ED748ABF1E7 PX5: 1EE852BB004AFE80D0E5086E010CC200BAEDD060
C:\WINDOWS\system32\sxs.dll InMem: 1 Det [G] MD5: 0FF9FA27706FBE9048990C108C0D62F0 PX5: 7DA6155100CD9BC4E2BC0A5BBE89310022984217
C:\WINDOWS\system32\ADVAPI32.dll InMem: 1 Det [G] MD5: 1AFF244CA134956C54474F4E2433E4CE PX5: 296A3B25006A64436AAF09BF97D4150087D2BD6D
C:\WINDOWS\system32\RPCRT4.dll InMem: 1 Det [G] MD5: B49DCCD4DCF1D52BFCCC44677E56CFB4 PX5: 97BAC51100218E33EAE1082262F6E30019048901
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\ClientProtocols - ncacn_np [rpcrt4.dll]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\ClientProtocols - ncacn_ip_tcp [rpcrt4.dll]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\ClientProtocols - ncadg_ip_udp [rpcrt4.dll]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\ClientProtocols - ncacn_http [rpcrt4.dll]
C:\WINDOWS\system32\Secur32.dll InMem: 1 Det [G] MD5: 81459CB8E975003AD28B8ABB8DFA8329 PX5: 536E34A8003EFBF8DA2800A52BB2F5002C50EDCF
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\SecurityService - 9 [secur32.dll]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\SecurityService - 10 [secur32.dll]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\SecurityService - 16 [secur32.dll]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\SecurityService - 18 [secur32.dll]
C:\WINDOWS\system32\winlogon.exe InMem: 1 Det [G] MD5: 01C3346C241652F43AED8E2149881BFE PX5: 08A3C79400E89575AACC07CFE43BE4007E07B082
C:\WINDOWS\system32\AUTHZ.dll InMem: 1 Det [G] MD5: 5C3DF25926729EBEEF5CC7FF1933B360 PX5: 9C99E50400FE530EDE9300C611EE4100D1F5B0A9
C:\WINDOWS\system32\msvcrt.dll InMem: 1 Det [G] MD5: B0FEFA816D61EC66AA765DDF534EAB5E PX5: 8D219F8D00D363B03C94050F1D501000232569AA
C:\WINDOWS\system32\CRYPT32.dll InMem: 1 Det [G] MD5: EFC958396A7A7EF7E6D4A52B97512E18 PX5: 4A59DFBA00DC49271E850917445B2900D34AB5D6
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain - DllName [crypt32.dll]
C:\WINDOWS\system32\MSASN1.dll InMem: 1 Det [G] MD5: 3CD1CE106CA2A9B4CC626D7DF03FBD6F PX5: A4F4ADCF0079800BE0EB00B2C969390093F01930
C:\WINDOWS\system32\NDdeApi.dll InMem: 1 Det [G] MD5: 458AB591E8CF240CC105A23671F2C3D6 PX5: 956C54EE009E4E5046BE007A7FAF9200E4434752
C:\WINDOWS\system32\PROFMAP.dll InMem: 1 Det [G] MD5: FE4F71711CF5C17ADE5E506348132D24 PX5: 129936C20053D9156CD7001C64367E00E414EB45
C:\WINDOWS\system32\NETAPI32.dll InMem: 1 Det [G] MD5: 35A4C61B5A9AE04E73843FB21F9A1137 PX5: 0919F94300101F5012140538A0E252006DFECAEF
C:\WINDOWS\system32\USERENV.dll InMem: 1 Det [G] MD5: 2B9B56A89A8A42E917511972A6DB36E3 PX5: 8D0A73790000B9A60AFA0B7799BA50001480E583
C:\WINDOWS\system32\PSAPI.DLL InMem: 1 Det [G] MD5: 96E48C7EB9089D1DBF6F85CA11B264DF PX5: E45B4B8F006B80405A31004447A81A0004CB0571
C:\WINDOWS\system32\REGAPI.dll InMem: 1 Det [G] MD5: 899ED710FDC37EB7D0115C2932C2B1EB PX5: 3BDFE07B00636050C232006EC96F600028536072
C:\WINDOWS\system32\SETUPAPI.dll InMem: 1 Det [G] MD5: 7808313CBC634EE08346D5DDFEF1CC5F PX5: 154783FC009BD5AC024A0FD064643800249F930D
C:\WINDOWS\system32\VERSION.dll InMem: 1 Det [G] MD5: D38408967BE738D0C1B47005BCE8CEEB PX5: 48B2326F0046ACF04A2F009ECFE2F700297C7989
C:\WINDOWS\system32\WINSTA.dll InMem: 1 Det [G] MD5: 7BC4BA4C33ADF3EF5CD370D99BC60B04 PX5: 4FC178B000482116D2BD00E93C9ECE00D0480EF2
C:\WINDOWS\system32\WINTRUST.dll InMem: 1 Det [G] MD5: B015A20C60D2A751777A9C8207A7BA82 PX5: DB0CC24600AC672EB2E30223D02BD300BCD7BC8F
C:\WINDOWS\system32\IMAGEHLP.dll InMem: 1 Det [G] MD5: 5AFCE94E8286B2F57A04DA37F01BF21A PX5: C514DEA900649DD634FB027E5F879F00BCCD8258
C:\WINDOWS\system32\WS2_32.dll InMem: 1 Det [G] MD5: 2ED0B7F12A60F90092081C50FA0EC2B2 PX5: ED479C43003596C5447E01096F563C00A0368937
C:\WINDOWS\system32\WS2HELP.dll InMem: 1 Det [G] MD5: 9BEACB911CA61E5881102188AB7FB431 PX5: D5E6E5C200940F924EAB009267BAC700194216C3
C:\WINDOWS\system32\IMM32.DLL InMem: 1 Det [G] MD5: 87CA7CE6469577F059297B9D6556D66D PX5: 4DA51A0A00D858BFAE4F01B360834F009316407E
C:\WINDOWS\system32\MSGINA.dll InMem: 1 Det [G] MD5: A29AF639AA180CC68C59242A10E1D3B1 PX5: 332D310E00FAA8212CA00F238AD78B0023CDC234
C:\WINDOWS\system32\SHELL32.dll InMem: 1 Det [G] PX5: 215DA58300AF5EA202CF8162043804000AEEC399
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - VmApplet [rundll32 shell32,Control_RunDLL "sysdm.cpl"]
REGSHLEXHOOK - \REGISTRY\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InprocServer32 - {AEB6717E-7E19-11d0-97EE-00C04FD91972} [shell32.dll]
REGDELAY - \REGISTRY\Machine\Software\Classes\CLSID\{7849596a-48ea-486e-8937-a2a3009f31a9}\InprocServer32 - PostBootReminder [%SystemRoot%\system32\SHELL32.dll]
REGDELAY - \REGISTRY\Machine\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 - CDBurn [%SystemRoot%\system32\SHELL32.dll]
REGTOOLBAR - \REGISTRY\Machine\Software\Classes\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}\InprocServer32 - {0E5CBF21-D15F-11D0-8301-00AA005B4383} [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{24F14F01-7B1C-11d1-838f-0000F80461CF}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{24F14F02-7B1C-11d1-838f-0000F80461CF}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{09799AFB-AD67-11d1-ABCD-00C04FC30936}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{A470F8CF-A1E8-4f65-8335-227475AA5C46}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{ef43ecfe-2ab9-4632-bf21-58909dd177f0}\InprocServer32 - [%SystemRoot%\system32\SHELL32.dll]
REGEXPSHELL - \REGISTRY\Machine\Software\Classes\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\InprocServer32 - [shell32.dll]
C:\WINDOWS\system32\SHLWAPI.dll InMem: 1 Det [GP] MD5: 677172D170525883181200DF23E523D3 PX5: 7847F98300CCEE813C2607FB93BF2D005EE2EEDD
C:\WINDOWS\system32\COMCTL32.dll InMem: 1 Det [G] MD5: B0124CB21D28B1C9F678B566B6B57D92 PX5: 58711F2E0031D0D66C9109B3CC40D8001324BA48
C:\WINDOWS\system32\ODBC32.dll InMem: 1 Det [G] MD5: F79D7D98CD764499ECCBAAF3F800D349 PX5: 7B1DF19300CD6699D0980342C9BBC000005C4BB6
C:\WINDOWS\system32\comdlg32.dll InMem: 1 Det [G] MD5: 1EDB1BB89D021955E6F7265911175B8D PX5: 892EEE5500E4EDA63AA104D70FCBB60076D8D62A
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll InMem: 1 Det [G] MD5: C4E80875C1CF1222FC5EFD0314AE5C01 PX5: 56C8CE5E00851B0E16C71080EE38A700B0371013
C:\WINDOWS\system32\odbcint.dll InMem: 1 Det [G] MD5: C237FB08F52F27823C4E4E6705ECD196 PX5: 847B8E9B004B5A42703B01AC5A6AB700CD30D958
C:\WINDOWS\system32\SHSVCS.dll InMem: 1 Det [G] MD5: 6815DEF9B810AEFAC107EEAF72DA6F82 PX5: 2C529D1E00C1F0F70ECC025EA1ABB800AB55D8AD
C:\WINDOWS\system32\sfc.dll InMem: 1 Det [G] MD5: E8A12A12EA9088B4327D49EDCA3ADD3E PX5: 89E84D5200CF03421478002B882F7D00A63C49D3
C:\WINDOWS\system32\sfc_os.dll InMem: 1 Det [G] MD5: 9858CC4D73A4CCF2F852FAE07C11A0B5 PX5: F26B2BAF0018BC9E2489020583C62D00D3EDFCD1
C:\WINDOWS\system32\ole32.dll InMem: 1 Det [G] MD5: AB8231D13692AC5088EB9C226B0C0576 PX5: 37731593007696ED9C6813CFF613B1004A93B4E7
C:\WINDOWS\system32\Apphelp.dll InMem: 1 Det [G] MD5: ECA24AB73FCFFA754D4070CDB03529E3 PX5: CAD3C6370032D7A5F0B3015FD8E92200A7751139
C:\WINDOWS\system32\msctfime.ime InMem: 1 Det [G] MD5: D87041EAA67ECA4394F6D5D09C0C2885 PX5: F657260400203250B436023B63BED10004430D4E
C:\WINDOWS\system32\WINSCARD.DLL InMem: 1 Det [G] MD5: 7BCB23FA39CE266AF4347A6BEAB60F8C PX5: 40DE6C9D00625F258477015397173C002F7330D3
C:\WINDOWS\system32\WTSAPI32.dll InMem: 1 Det [G] MD5: 67F2D109AB373FECEB819F420DB11F03 PX5: C00F08BB00D5C1E748870068B7CF33003C5DB51A
C:\WINDOWS\system32\uxtheme.dll InMem: 1 Det [G] MD5: 2CDE496666A975A2CE8F969F3042C8DB PX5: 004E6F720026350A5600030933650A008FE9F7B0
C:\WINDOWS\system32\WINMM.dll InMem: 1 Det [G] MD5: 90FDAA22F38D9E911F91FA3B8A1F7E5D PX5: 13F5EAB2004B18C7B0AA0253C3C1330003CE5648
C:\WINDOWS\system32\Ati2evxx.dll InMem: 1 Det [G] MD5: 4E16A4EF6CAC62CD4F21EEC7C3683626 PX5: 101077C600AC1D04B4950017FCB09A006A3072FF
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent - DLLName [Ati2evxx.dll]
C:\WINDOWS\system32\cscdll.dll InMem: 1 Det [G] MD5: 587729679B4FE04CE06A5C61D6C56DCD PX5: 971F59D600837AC68E6701A3E5B77A00309F7ECB
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll - DLLName [cscdll.dll]
C:\WINDOWS\system32\rsaenh.dll InMem: 1 Det [G] MD5: 26ACBD865F8CFF730F1791C4D0854352 PX5: 19B797A900BB112F5426027FDD39EC001D5760F1
C:\WINDOWS\system32\WlNotify.dll InMem: 1 Det [G] MD5: A599E5E366C1408E48AA5D37882D4E3E PX5: B3DE3F08000763CC6ADE017B79CC190098DD584B
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp - DLLName [wlnotify.dll]
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule - DllName [wlnotify.dll]
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn - DLLName [WlNotify.dll]
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv - DllName [wlnotify.dll]
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon - DLLName [wlnotify.dll]
C:\WINDOWS\system32\WINSPOOL.DRV InMem: 1 Det [G] MD5: 777EB29D0135D81AD9828A2B05443496 PX5: 015C030400CF66743CEC02C1CDE749000B659A52
C:\WINDOWS\system32\MPR.dll InMem: 1 Det [G] MD5: 2CFE80AA3428C09E6DE67FAC50DA65CF PX5: 53E19177002424D9EAD7005EFAA4ED00F14A5B45
C:\WINDOWS\system32\msv1_0.dll InMem: 1 Det [G] MD5: 77C41F9146450C89534704A75836CE56 PX5: 849F823900874A5BFA030136E43C1D00F7CBD368
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa - Authentication Packages [msv1_0]
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa - Security Packages [kerberos]
C:\WINDOWS\system32\iphlpapi.dll InMem: 1 Det [G] MD5: 011EACF9153EF90E6CBCE2987ACAE411 PX5: 352A2D9200DB457772C6019AB1E38E009C7A5700
C:\WINDOWS\system32\SAMLIB.dll InMem: 1 Det [G] MD5: EBE12F403FDE45E7312E7BF764BFB6C6 PX5: C6E9EBFF00376E94FAAE002B3D4FE600C1F3F18E
C:\WINDOWS\system32\cscui.dll InMem: 1 Det [G] MD5: 51230212AE7F8159A90F06A7EA30DD8A PX5: 7251405F009E1821FC4204FF4DD95A00364FF1CF
REGGPOLICY - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} - DllName [%SystemRoot%\System32\cscui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InprocServer32 - {750fdf0e-2a26-11d1-a3ea-080036587f03} [%SystemRoot%\System32\cscui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{10CFC467-4392-11d2-8DB4-00C04FA31A66}\InprocServer32 - {10CFC467-4392-11d2-8DB4-00C04FA31A66} [%SystemRoot%\System32\cscui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}\InprocServer32 - {AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} [%SystemRoot%\System32\cscui.dll]
C:\WINDOWS\system32\wdmaud.drv InMem: 1 Det [G] MD5: D6A8DC8C374EEA24744F2D4E87CA0E7E PX5: 9E997A9100E00AB25C2E0007BFD7ED00D6DB759F
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 - wave [wdmaud.drv]
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 - midi [wdmaud.drv]
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 - mixer [wdmaud.drv]
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 - aux [wdmaud.drv]
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Userinstallable.drivers - wave [wdmaud.drv]
C:\WINDOWS\system32\MPRAPI.dll InMem: 1 Det [G] MD5: 9F78F329B1858E845087B923B4DBA0F3 PX5: 89A9326300429D6F544C0140C8E6CF006BE03453
C:\WINDOWS\system32\ACTIVEDS.dll InMem: 1 Det [G] MD5: 875D770F477E0AE0088BE1810D537B23 PX5: 67FDEADE001365B1F639027CBF788C007F0C0466
C:\WINDOWS\system32\adsldpc.dll InMem: 1 Det [G] MD5: 12A581CA44E53B09D24C5B94F252C78D PX5: B147B9E700C7511F3070026D6E9329002B36B91C
C:\WINDOWS\system32\WLDAP32.dll InMem: 1 Det [G] MD5: 10F36FA092D7A309A0647FCDC764AE6C PX5: BB7512DA00E90F3EA05602946259A9007F8695BD
C:\WINDOWS\system32\ATL.DLL InMem: 1 Det [G] MD5: 2D40EDB9BF811590DAD7406DEC67B926 PX5: 5E305C2100F089A0E682004447382A00FDED6863
C:\WINDOWS\system32\OLEAUT32.dll InMem: 1 Det [G] MD5: 0144ABC4C4A624B583D432EE478A711C PX5: D1F593D800E8FAF668CA0813471870000992F532
C:\WINDOWS\system32\rtutils.dll InMem: 1 Det [G] MD5: 2030FA027E7C3E0A145649C03171457B PX5: 47F262E000A76D5BAC5800EFA3AA12007319C827
C:\WINDOWS\system32\xpsp2res.dll InMem: 1 Det [G] MD5: 1320AEA7057A26A671D9548CC7BEBDA5 PX5: DA22457E009A2BE138AD2CE13B304000CC3BE023
C:\WINDOWS\system32\msacm32.drv InMem: 1 Det [G] MD5: 9A3BD5F55AADFF859539142F6328A66E PX5: 0A0C500500C4AB055058007FB94555005B041DD7
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP - wavemapper [msacm32.drv]
C:\WINDOWS\system32\MSACM32.dll InMem: 1 Det [G] MD5: 975D12353B1D525C0F3444C447FB3B9A PX5: F818B09C0055EBEA18B101729A6EC6002AD08A29
C:\WINDOWS\system32\midimap.dll InMem: 1 Det [G] MD5: 3B4702155BB2AE9DC00C06A68834BDFA PX5: 57090CFC0008E4CA4A4F00428AB4320020C9C16A
REGDRIVER - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP - midimapper [midimap.dll]
C:\WINDOWS\system32\NTMARTA.DLL InMem: 1 Det [G] MD5: DAA91B358E685FC6CCA9ACA72BE6FE85 PX5: 1E915E1600DB5D12D0A801955C4BCF00D7074068
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider - ProviderPath [%SystemRoot%\system32\ntmarta.dll]
C:\WINDOWS\system32\COMRes.dll InMem: 1 Det [G] MD5: 6728270CB7DBB776ED086F5AC4C82310 PX5: 056D8FA100E39E7216470C7CE8FD7800B3987822
C:\WINDOWS\system32\CLBCATQ.DLL InMem: 1 Det [G] MD5: EC8A848FC4F17F3B3D9DA4A0C43FB930 PX5: F6005FF8002694229C2707EE8C3E3200AE61E555
C:\WINDOWS\system32\services.exe InMem: 1 Det [G] MD5: C6CE6EEC82F187615D1002BB3BB50ED4 PX5: 1B167F4F0083E585A6B8011373392400F157C83B
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Eventlog - ImagePath [C:\WINDOWS\system32\services.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\PlugPlay - ImagePath [C:\WINDOWS\system32\services.exe]
C:\WINDOWS\system32\SCESRV.dll InMem: 1 Det [G] MD5: 9A42C1F3154545A4D32E5043038B01FA PX5: D5457DC900476E25CA9904FA093453007CE1D3EE
C:\WINDOWS\system32\umpnpmgr.dll InMem: 1 Det [G] MD5: 586211F4FF4BC49CC215C956919CD33B PX5: 9778CA37001C999DE21901CEE9332600C8A8FDFF
C:\WINDOWS\system32\NCObjAPI.DLL InMem: 1 Det [G] MD5: DA201A0A309B96381FD674D0FAB5DA86 PX5: 4A760B7A005A24058E1B000579721100D7860F10
C:\WINDOWS\system32\MSVCP60.dll InMem: 1 Det [G] MD5: 1F57EB5B92B2AC7F9D71A77D184D8C13 PX5: 529F9CCA00E65E4E50F406DD88392600874CC458
C:\WINDOWS\system32\ShimEng.dll InMem: 1 Det [G] MD5: 43DA983415EA533F9E667FDB415F4655 PX5: 187925F700B0758B00BE01FCD873B4008BD47C54
C:\WINDOWS\AppPatch\AcAdProc.dll InMem: 1 Det [G] MD5: 744EA281298317E91C3BEA70BF3843D4 PX5: 4481FDAC006BDDB69ABC00D7D79D140035AF8893
C:\WINDOWS\system32\eventlog.dll InMem: 1 Det [G] MD5: 82B24CB70E5944E6E34662205A2A5B78 PX5: 74C0ACE400BB539DDA760019C66FFE004EA8E15E
C:\WINDOWS\system32\lsass.exe InMem: 1 Det [G] MD5: 84885F9B82F4D55C6146EBF6065D75D2 PX5: E322179B00AF6D2D3445003B3C2E0700A1B0AF84
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Netlogon - ImagePath [C:\WINDOWS\system32\lsass.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\NtLmSsp - ImagePath [C:\WINDOWS\system32\lsass.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\PolicyAgent - ImagePath [C:\WINDOWS\system32\lsass.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\ProtectedStorage - ImagePath [C:\WINDOWS\system32\lsass.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\SamSs - ImagePath [C:\WINDOWS\system32\lsass.exe]
C:\WINDOWS\system32\LSASRV.dll InMem: 1 Det [G] MD5: F1C69FD5009CD4219C8DCA5DF475D66B PX5: EB2E7D6200430BBE04C40B96CAC04A0051502E73
C:\WINDOWS\system32\NTDSAPI.dll InMem: 1 Det [G] MD5: 6201BACF384292A5FE94CE73364AE53A PX5: 829FACD8005095330684014F43849600A4A7FB8D
C:\WINDOWS\system32\DNSAPI.dll InMem: 1 Det [G] MD5: 16E68F1DB0E37C13A5FB5F9611A38EDC PX5: 74EB5FA400091D754463024F4ED97A0092707122
C:\WINDOWS\system32\SAMSRV.dll InMem: 1 Det [G] MD5: E15154E7FDA8A580A8F74C7CC16B1FFE PX5: 253D430300438A98588C06CDDB739000272E6768
C:\WINDOWS\system32\cryptdll.dll InMem: 1 Det [G] MD5: EF5B64A9CD71ED27E837165C08DA4CC1 PX5: 03BDA30E00C2568782E70078CCDCA600FB107A2E
C:\WINDOWS\AppPatch\AcGenral.DLL InMem: 1 Det [G] MD5: FB537F29A827D78F756154CF397A113F PX5: A5E070E5008A3CA2449B1C759DD89C00AE77A675
C:\WINDOWS\system32\msprivs.dll InMem: 1 Det [G] MD5: 6BEC17053284E847CF1FBB8C9A181E1E PX5: B7C3D94D00650CDCBC0A0065E2B2780073142639
C:\WINDOWS\system32\kerberos.dll InMem: 1 Det [G] MD5: FC3BCBEF084377FB3AB43E0E2FF812CB PX5: 2815B079000EADB3847504C1A6094F009DAE1FF3
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa - Security Packages [kerberos]
C:\WINDOWS\system32\netlogon.dll InMem: 1 Det [G] MD5: 96353FCECBA774BB8DA74A1C6507015A PX5: 4AD0CDF2006A3C7F36AD06B5AE145400218BAC7A
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\SecurityService - 68 [netlogon.dll]
C:\WINDOWS\system32\w32time.dll InMem: 1 Det [G] MD5: 2B281958F5D0CF99ED626E3EF39D5C8D PX5: 4B83AABA0027599EAA46024D449B460048D4CD90
C:\WINDOWS\system32\schannel.dll InMem: 1 Det [G] MD5: 532EA80E9F5452928F8426653215BE29 PX5: E084CAFD00263F4C3618026895AF4E00D376B1B0
REGRUNGEN - \REGISTRY\Machine\System\CurrentControlSet\Control\SecurityProviders - SecurityProviders [msapsspc.dll]
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa - Security Packages [kerberos]
REGRPC - \REGISTRY\Machine\Software\Microsoft\Rpc\SecurityService - 14 [schannel.dll]
C:\WINDOWS\system32\wdigest.dll InMem: 1 Det [G] MD5: C43D8F6FF8AC074CCD9B34B781E23E86 PX5: BFED3C3A008AC87AC0050035BC2B7B00252EECE6
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa - Security Packages [kerberos]
C:\WINDOWS\system32\scecli.dll InMem: 1 Det [G] MD5: 0F78E27F563F2AAF74B91A49E2ABF19A PX5: BA60DFD7007FF03BC0B10210E447DA00431A9EA5
REGGPOLICY - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} - DllName [scecli.dll]
REGGPOLICY - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} - DllName [scecli.dll]
REGLSA - \REGISTRY\Machine\System\CurrentControlSet\Control\Lsa - Notification Packages [scecli]
C:\WINDOWS\system32\ipsecsvc.dll InMem: 1 Det [G] MD5: D1E299962B5956005113EC4AB1E0D9B7 PX5: A284B00D004412D1CACE0214647C4E008303B9B3
C:\WINDOWS\system32\oakley.DLL InMem: 1 Det [G] MD5: A76128BE63EEA6A3AF521A0576D3EBF7 PX5: B3FA2D0E00AA18AE12B804D88D758200387B1E01
C:\WINDOWS\system32\WINIPSEC.DLL InMem: 1 Det [G] MD5: 2B2F31E3F2CE3723C1B0F3700C8BE28B PX5: 316A8F9B009E219D8062008DBEE6D100C6CDF6D8
C:\WINDOWS\system32\pstorsvc.dll InMem: 1 Det [G] MD5: 306B30A036DB25FCB76B507FEDE07D58 PX5: D5E6DE15002AB97486EE00295E3519004311F809
C:\WINDOWS\system32\mswsock.dll InMem: 1 Det [G] MD5: 4E74AF063C3271FBEA20DD940CFD1184 PX5: 16BCD2890051C955BE5B03DEED8C6800046E1E5A
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 - PackedCatalogItem [%SystemRoot%\system32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 - LibraryPath [%SystemRoot%\System32\mswsock.dll]
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 - LibraryPath [%SystemRoot%\System32\mswsock.dll]
C:\WINDOWS\system32\hnetcfg.dll InMem: 1 Det [G] MD5: 765B30C776A1780B46B479FE614F707C PX5: 7D93B95F0053B42340FE05BA958353001E056FC5
C:\WINDOWS\System32\wshtcpip.dll InMem: 1 Det [G] MD5: A7F95A53EE055115DF03588997A47D4D PX5: DC9BB447001573924E70000972CCB00010ED4F34
C:\WINDOWS\system32\psbase.dll InMem: 1 Det [G] MD5: 4D3CCDF22D2B4BAE229BA73B81D13E26 PX5: 0E574A8700AB3CF97AE50134B55DCA00B9B05876
C:\WINDOWS\system32\dssenh.dll InMem: 1 Det [G] MD5: CACD2C63A79268D131EA37E85524CC44 PX5: 31E843BE00E2A81C18FA0265E10B6500232880A4
C:\WINDOWS\system32\Ati2evxx.exe InMem: 1 Det [G] MD5: 60D2D92BD2390C50BCE4106113F8B83B PX5: B0C63981006E5804C035057E52F7F500107B81AD
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Ati HotKey Poller - ImagePath [C:\WINDOWS\system32\Ati2evxx.exe]
C:\WINDOWS\system32\Ati2edxx.dll InMem: 1 Det [G] MD5: 6E6D9E0C45AED9A46A1CD09104D53E79 PX5: ABA7148800C2C19B9CF4001E50AB6A00AEAA820C
C:\WINDOWS\system32\svchost.exe InMem: 1 Det [G] MD5: 8F078AE4ED187AAABC0A305146DE6716 PX5: DAF1E19400616549387D0095555BE300779F3C3D
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Alerter - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\AppMgmt - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\AudioSrv - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\BITS - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Browser - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\CryptSvc - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\DcomLaunch - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Dhcp - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\dmserver - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Dnscache - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\ERSvc - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\EventSystem - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\helpsvc - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\HidServ - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\HTTPFilter - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\lanmanserver - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\lanmanworkstation - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\LmHosts - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Messenger - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Netman - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Nla - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\NtmsSvc - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\RasAuto - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\RasMan - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\RemoteAccess - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\RpcSs - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Schedule - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\seclogon - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\SENS - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\SharedAccess - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\ShellHWDetection - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\srservice - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\SSDPSRV - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\stisvc - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\TapiSrv - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\TermService - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Themes - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\TrkWks - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\upnphost - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\usprserv - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\W32Time - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\WebClient - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\winmgmt - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\WmdmPmSN - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\wscsvc - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\wuauserv - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\WudfSvc - ImagePath [C:\WINDOWS\system32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\WZCSVC - ImagePath [C:\WINDOWS\System32\svchost.exe]
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\xmlprov - ImagePath [C:\WINDOWS\System32\svchost.exe]
c:\windows\system32\rpcss.dll InMem: 1 Det [G] MD5: CE94A2BD25E3E9F4D46A7373FF455C6D PX5: D822603D00CD66D9129D06DB0B7B1D007E9F1628
c:\windows\system32\termsrv.dll InMem: 1 Det [G] MD5: B60C877D16D9C880B952FDA04ADF16E6 PX5: B23DB7CA00529A76824404BBA1C0E500E194B6BF
c:\windows\system32\ICAAPI.dll InMem: 1 Det [G] MD5: 37E7DB460A5315E4609B212C6C014527 PX5: 250F3DFD00F33C1F2CA90044E2AB0700656E66F3
c:\windows\system32\mstlsapi.dll InMem: 1 Det [G] MD5: F5EE7CACD1784241F138A5E55B715897 PX5: C2680D8300018E10C49501D751FA98009B3E7AB6
C:\WINDOWS\System32\winrnr.dll InMem: 1 Det [G] MD5: 2C8FDB176F22629EA5342DB474FAC391 PX5: B99E0E8D00542DFA424300FED26B3C00567EC44F
REGLSP - \REGISTRY\Machine\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 - LibraryPath [%SystemRoot%\System32\winrnr.dll]
C:\WINDOWS\system32\rasadhlp.dll InMem: 1 Det [G] MD5: 5F098BD2AE6B03044B085DECFFDF91EC PX5: 730EB3E100BD805F2027003B3C2E0700962FB09B
c:\windows\system32\dhcpcsvc.dll InMem: 1 Det [G] MD5: EF545E1A4B043DA4C84E230DD471C55F PX5: A9EBC5D6001A18F3B4B401620314F40088368459
c:\windows\system32\wzcsvc.dll InMem: 1 Det [G] MD5: 5A91E6FEAB9F901302FA7FF768C0120F PX5: 5355281100DAD0967EED053F74F17200F9EBFA10
c:\windows\system32\WMI.dll InMem: 1 Det [G] MD5: E682696D7F982494A8CFC80C5B59D422 PX5: 07C4E937009487D016E3006A26ACBD000B74A165
c:\windows\system32\ESENT.dll InMem: 1 Det [G] MD5: 50DE118DA580208B914B40DD47C90D52 PX5: C8A857690088C1A584B81050256A6800C9E1A40E
C:\WINDOWS\System32\rastls.dll InMem: 1 Det [G] MD5: ADEAC063A3757E8FBC242BB4414D632B PX5: 41012AE700D403D9B68C010C32391300A1CC1B25
C:\WINDOWS\system32\CRYPTUI.dll InMem: 1 Det [G] MD5: 4AC302BF714DC163E685D0A187A36D0F PX5: 0555EC6A006F02A8D26607A164A23A00FADACFBB
C:\WINDOWS\system32\WININET.dll InMem: 1 Det [G] MD5: 806D274C9A6C3AAEA5EAE8E4AF841E04 PX5: 64BDA9C5005A040F96240C6FE57D76000A931BF0
C:\WINDOWS\system32\Normaliz.dll InMem: 1 Det [G] MD5: 10753A3ADC3E39A3B10CC3F08E98E6B4 PX5: E3FC1A7000BA1C775C420052AC60C600F74EBAFC
C:\WINDOWS\system32\iertutil.dll InMem: 1 Det [G] MD5: 3844E460C6CAECEAD3B5C782E656BAFD PX5: 0E5B27A60009B20016DB048CFD649C002B077E31
C:\WINDOWS\System32\RASAPI32.dll InMem: 1 Det [G] MD5: CD1F7ED9842138BEADF9ECBF37818BEF PX5: B42570E300C0A51B9C9A03B11C4470004F247D2C
C:\WINDOWS\System32\rasman.dll InMem: 1 Det [G] MD5: 30E244A707E6CE0A4B099CD6384EC6CA PX5: EDBB389C0036CD71F0EF007B23C7E500D974B004
C:\WINDOWS\System32\TAPI32.dll InMem: 1 Det [G] MD5: 6307A1B82F6CA87D7E0CDF49E6E7BC00 PX5: 7AE4E0A400D5864AC64B02EEA63BF300C0418EFD
C:\WINDOWS\System32\raschap.dll InMem: 1 Det [G] MD5: 1B0F0FC350C77B62A4B927810E53B2BF PX5: 469869220095F50610B00104DEE25E00746ECCB1
c:\windows\system32\schedsvc.dll InMem: 1 Det [G] MD5: 92360854316611F6CC471612213C3D92 PX5: 00967B3C00CA877DEA9B0283F80B86008C541907
C:\WINDOWS\System32\MSIDLE.DLL InMem: 1 Det [G] MD5: 249817F51C84D283E96E6B2580D21FFD PX5: 690A7593007ACD6D1AC1008CF3166F0059716CFB
c:\windows\system32\audiosrv.dll InMem: 1 Det [G] MD5: DB66DB626E4882EBEF55F136F12C1829 PX5: 932A31B600AB40CAA62C00BF06D62A00006A5BE9
c:\windows\system32\wkssvc.dll InMem: 1 Det [G] MD5: 3CD291A2C4909088B3D1E98DED73D4B2 PX5: 0E65A9AD004CED3604410264F0D57E003899F7EE
c:\windows\system32\cryptsvc.dll InMem: 1 Det [G] MD5: 10654F9DDCEA9C46CFB77554231BE73B PX5: AF326DE300CAB04EECF2002C6A88F800C175F52F
c:\windows\system32\certcli.dll InMem: 1 Det [G] MD5: AD44C5BC21213F394F6AFCB55CC39293 PX5: 733CB91900F5C521F81A02962CBA1C00EB8C1136
c:\windows\system32\ersvc.dll InMem: 1 Det [G] MD5: 67DFF7BBBD0E80AAB7B3CF061448DB8A PX5: 6FF656B000BD22FA5A0E001E333E02004608458D
c:\windows\system32\es.dll InMem: 1 Det [G] MD5: 34BBD9ACC1538818F2C878898C64E793 PX5: 0081FE5800E09C4CB61003D0290B1D00976C66BF
c:\windows\pchealth\helpctr\binaries\pchsvc.dll InMem: 1 Det [G] MD5: 8827911A8C37E40C027CBFC88E69D967 PX5: 8DE204D80030A6D498F90061FD9D1400CBF5C58F
c:\windows\system32\srvsvc.dll InMem: 1 Det [G] MD5: 0CB3AF149A0BAC0836022CA307C7A0F8 PX5: 92EB8E4600DD88A77A950111349C74000C827F72
c:\windows\system32\netman.dll InMem: 1 Det [G] MD5: 36739B39267914BA69AD0610A0299732 PX5: C51B550E00EF0CBA047F036BEC8A55000966CBCA
c:\windows\system32\netshell.dll InMem: 1 Det [G] MD5: BF52A4D4EB4CFB3109667E429B93E21A PX5: 7E06771900487C8710581A44A9373100B130C1AC
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\InprocServer32 - {7007ACC7-3202-11D1-AAD2-00805FC1270E} [C:\WINDOWS\system32\NETSHELL.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{992CFFA0-F557-101A-88EC-00DD010CCC48}\InprocServer32 - {992CFFA0-F557-101A-88EC-00DD010CCC48} [C:\WINDOWS\system32\NETSHELL.dll]
c:\windows\system32\credui.dll InMem: 1 Det [G] MD5: 1ECB753D7CEEC8F5A94C9781CA64EC44 PX5: 2958D65E00CF5461808D02E1D736740044A2B4BA
c:\windows\system32\WZCSAPI.DLL InMem: 1 Det [G] MD5: 9A9BBC71D0EBCD400A33ABCD5F0AB39C PX5: DACD9F2200A148C8CA530076C9ABDB00E531F0F8
c:\windows\system32\sens.dll InMem: 1 Det [G] MD5: DFD9870CF39C791D86C4C209DA9FA919 PX5: CCBBDD05006A9DD9989800FA9D19B200092DAE28
c:\windows\system32\seclogon.dll InMem: 1 Det [G] MD5: B1E0CE09895376871746F36DC5773B4F PX5: B63CB54C00A4D6F14A2500626A21D60080D8056D
c:\windows\system32\srsvc.dll InMem: 1 Det [G] MD5: 92BDF74F12D6CBEC43C94D4B7F804838 PX5: 94C789210046D3619AD10285BB07F100773F7289
c:\windows\system32\POWRPROF.dll InMem: 1 Det [G] MD5: 1B5F6923ABB450692E9FE0672C897AED PX5: 69018B76004AE3D7448B00F668AC380013A5409B
c:\windows\system32\trkwks.dll InMem: 1 Det [G] MD5: 6D9AC544B30F96C57F8206566C1FB6A1 PX5: 7870990A007CDDBD627A01EF59E79400E7B8DD73
c:\windows\system32\wuauserv.dll InMem: 1 Det [S] MD5: 13D72740963CBA12D9FF76A7F218BCD8 PX5: B80DF0DE00A655AA1A4900068A66AC000C7C0675
C:\WINDOWS\system32\wuaueng.dll InMem: 1 Det [G] MD5: 3EEC20E41F5F331B94002970CEAEC92F PX5: 26C07DF358FF2BE623151A8BD3FD64005FC70733
C:\WINDOWS\System32\WINHTTP.dll InMem: 1 Det [G] MD5: EA82A55F22654FBEDCBD82D2D4305B45 PX5: 06A2994C00D85B135CB105D77AAB0300B9222156
C:\WINDOWS\System32\Cabinet.dll InMem: 1 Det [G] MD5: 08F0190AE201EC331B4CA3B0FA2D2CCE PX5: 41C0FD920017CFBEEA3400FF6C23B200948AF962
C:\WINDOWS\System32\mspatcha.dll InMem: 1 Det [G] MD5: 633C197292B4051D986903827DE561A3 PX5: 82E94A59007F579A76DF00605FDB1800E5A3A44B
c:\windows\system32\wbem\wmisvc.dll InMem: 1 Det [G] MD5: F399242A80C4066FD155EFA4CF96658E PX5: 4B870EFD003023C936EC02A6160CDC00ADEC4E5C
C:\WINDOWS\system32\VSSAPI.DLL InMem: 1 Det [G] MD5: 79DABB124D00ADF19852AE879C201890 PX5: 9981661100F61EC192C406C311EF6100047B10DE
c:\windows\system32\browser.dll InMem: 1 Det [G] MD5: E3CFCCDDA4EDD1D0DC9168B2E18F27B8 PX5: BA6204AB00E2C55F2E1201513D519B003713D289
REGACTIVEX - \REGISTRY\Machine\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF} - [Browser Customizations]
REGACTIVEX - \REGISTRY\Machine\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - [Browser Customizations]
c:\windows\system32\wscsvc.dll InMem: 1 Det [G] MD5: 4D59DAA66C60858CDF4F67A900F42D4A PX5: 0C0097FF00B19F043E14018727E7200043F72CCC
c:\windows\system32\msi.dll InMem: 1 Det [G] MD5: 892F4BC54D486FEB4DF03E4E2ECB14E0 PX5: 67C0ED8500CAF1E88EE52B2266AE24009BF267F4
c:\windows\system32\ipnathlp.dll InMem: 1 Det [G] MD5: 36CC8C01B5E50163037BEF56CB96DEFF PX5: 3B65D0DF0000F4850EC805A137144000A420C076
REGROUTER - \REGISTRY\Machine\Software\Microsoft\Router\CurrentVersion\RouterManagers\Ip\AUTODHCP - DllName [ipnathlp.dll]
REGROUTER - \REGISTRY\Machine\Software\Microsoft\Router\CurrentVersion\RouterManagers\Ip\DNSPROXY - DllName [ipnathlp.dll]
REGROUTER - \REGISTRY\Machine\Software\Microsoft\Router\CurrentVersion\RouterManagers\Ip\FTP - DllName [ipnathlp.dll]
REGROUTER - \REGISTRY\Machine\Software\Microsoft\Router\CurrentVersion\RouterManagers\Ip\H323 - DllName [ipnathlp.dll]
REGROUTER - \REGISTRY\Machine\Software\Microsoft\Router\CurrentVersion\RouterManagers\Ip\IPNAT - DllName [ipnathlp.dll]
C:\WINDOWS\system32\wbem\wbemcomn.dll InMem: 1 Det [G] MD5: 4E39C36213E95FB971A61A247BDE2F61 PX5: 668B9E6C0067E87646D603856877DD005CE05AD8
C:\WINDOWS\System32\Wbem\wbemcore.dll InMem: 1 Det [G] MD5: 36360B625D7290BBA2CD03AD4975E1BC PX5: 163EF86B00B6422D1A6008DFA38AFD003253C0D2
C:\WINDOWS\System32\Wbem\esscli.dll InMem: 1 Det [G] MD5: DE578E4E6844954823FC7688625F00C8 PX5: 60861C2D0025D1D1C8AC0338AF184100E6F3D37D
C:\WINDOWS\System32\Wbem\FastProx.dll InMem: 1 Det [G] MD5: C28500101BC66FDABD830F8DE51A59A0 PX5: 6B5798200004A660346E07370FE42F000E29BFB9
C:\WINDOWS\system32\wbem\wbemsvc.dll InMem: 1 Det [G] MD5: 7D676AC8CC19341117C77C261647BA07 PX5: F370DD6A003B1D86AA8E00F210285E00CEEA1EBA
C:\WINDOWS\system32\wbem\wmiutils.dll InMem: 1 Det [G] MD5: 0A1161DB4FCCF7821736C70D70A0F5A3 PX5: 4821E1B700A31A30748801443260CA00E2C056C1
C:\WINDOWS\system32\wbem\repdrvfs.dll InMem: 1 Det [G] MD5: 9A66728EFE501D855D0FFE3DE023CE32 PX5: E80BF80100FEAE9FB442022ACA1E6900DE762B31
C:\WINDOWS\system32\comsvcs.dll InMem: 1 Det [G] MD5: 75DEB92422D955373825A11F9F74EC6A PX5: E83075CB001344545619130616988C001DDB263E
C:\WINDOWS\system32\colbact.DLL InMem: 1 Det [G] MD5: 01A04FB59E76697C9171B6327274D371 PX5: 9B19BC02000C06C1EC3F00F04A75D20080CF345C
C:\WINDOWS\system32\MTXCLU.DLL InMem: 1 Det [G] MD5: 16A389D6DED58BA583694F825A1821A2 PX5: E165AD3D00A79EE10467018D1377CE000C45FB3E
C:\WINDOWS\system32\WSOCK32.dll InMem: 1 Det [G] MD5: 53AF9F2B2CE4B6EFF41C70417359D010 PX5: 1E78F46C007169C958BA0010AAB96200B1A7E8E3
C:\WINDOWS\System32\CLUSAPI.DLL InMem: 1 Det [G] MD5: 98C1FF6676E02D43DA208802286A6EE7 PX5: 55EDC704007224DAE24600555B8CBF0012B11384
C:\WINDOWS\System32\RESUTILS.DLL InMem: 1 Det [G] MD5: 2738C8A33FF07DD3C99C7C8F0A85DA72 PX5: FB1131B700B09AF5E6C000D229E76B0082B58095
C:\WINDOWS\system32\wbem\wmiprvsd.dll InMem: 1 Det [G] MD5: 1F080CCC567D222A2DCB7CC285C6A7AD PX5: BDF13B4900C7859DAC0406CE3CFE86002F6B7C0D
C:\WINDOWS\system32\wbem\wbemess.dll InMem: 1 Det [G] MD5: 6708E1DDF12CAB2D5B5A2B66B76E0038 PX5: 69A18BD800BC11302EF6047AD9314F00EF9102A0
C:\WINDOWS\system32\wbem\ncprov.dll InMem: 1 Det [G] MD5: 6AE613FFF9F9DFEE552652662BFABE41 PX5: 57AA38DF00AE7586B826004DA42E73006AD67F00
C:\WINDOWS\system32\upnp.dll InMem: 1 Det [G] MD5: 339089D6C3FC3BC5CED8D9049C4D2101 PX5: 5E0544330026A96C060102D913CC0E00A3D60DD2
C:\WINDOWS\system32\SSDPAPI.dll InMem: 1 Det [G] MD5: 5B8DFA748FA4845BC04445A30126F2E9 PX5: AC7191060087EF6588E400ACF18FBF0068A6CB32
C:\WINDOWS\system32\netcfgx.dll InMem: 1 Det [G] MD5: E3AE8DC04643850D2DFD431443558B28 PX5: 3D9989D2009EDB507E9209C3E2091A0091A4F1FF
C:\WINDOWS\System32\RASDLG.dll InMem: 1 Det [G] MD5: BA5D5FD3CCA6F64A429E2E0E1A1A0917 PX5: B2A29089001A45C20ABB0A96CE6E6F0074DA4BA4
c:\windows\system32\tapisrv.dll InMem: 1 Det [G] MD5: FB78839B36025AA286A51289ED28B73E PX5: 9104A46500166909CEB60342BA14880047D59B5E
c:\windows\system32\rasmans.dll InMem: 1 Det [G] MD5: 49B5EED5FB89D39456A2F616CCD8BA5D PX5: 6AC5343500FEB4ECC468025649825700DA9458A8
C:\WINDOWS\System32\rastapi.dll InMem: 1 Det [G] MD5: 1D536BEBC30DD8D0D3B6FF3B0CD2D32B PX5: 54B2F0550070D10EE69000CD687DD9005457F678
C:\WINDOWS\System32\unimdm.tsp InMem: 1 Det [G] MD5: 1DFD6E8DA0FE2D14A5FA12CFCFB162C1 PX5: E3F6046E0002406F28550384BAB1D0005979EA6B
C:\WINDOWS\System32\uniplat.dll InMem: 1 Det [G] MD5: 3AB4213BF48F9062E087B909832AA8E6 PX5: BDA160F3004D5035361000FC8F08220075E0CBD1
C:\WINDOWS\System32\kmddsp.tsp InMem: 1 Det [G] MD5: 7735385C0FA821961F9A1EBA94F2AC98 PX5: 141A38E4002A8DF5820300A2C40E74007D7E26AA
C:\WINDOWS\System32\ndptsp.tsp InMem: 1 Det [G] MD5: 37D7005A87F6405DEA87F50098CE03F7 PX5: F6FFEAB5003835C2DE8D00D6EF399E005505BFFB
C:\WINDOWS\System32\ipconf.tsp InMem: 1 Det [G] MD5: A4C40AF21BF9F90E08A3C1DD0DC79E0B PX5: 53A749B800FFAA6244E6008F03658A00324D6AB8
C:\WINDOWS\System32\h323.tsp InMem: 1 Det [G] MD5: 49361F295DF887AC32CD660CA94ACAA5 PX5: 3A12DFE50094ED480E1104EB3875C900497B6EC3
C:\WINDOWS\System32\hidphone.tsp InMem: 1 Det [G] MD5: 83168270F2E73A20E981B0F38A34958F PX5: 5E5FA7C400A508A5743B003B123AC2001CB52E3D
C:\WINDOWS\System32\HID.DLL InMem: 1 Det [G] MD5: 18AFEE0EDE045B6255408D634372DC29 PX5: 73734D9B0068182952AF00C60BD55A00D64CF0B7
C:\WINDOWS\System32\rasppp.dll InMem: 1 Det [G] MD5: 04ECEC0447F79419AD25227205B8277D PX5: 7926CFA8005991112607030EB3D5E9000B0D0D3D
C:\WINDOWS\System32\ntlsapi.dll InMem: 1 Det [G] MD5: C5EF2A4F6CB968B3119B43F43C64A1A6 PX5: 88BEBD1B006C52E520B8003B3C2E070049DBD569
C:\WINDOWS\System32\NETRAP.dll InMem: 1 Det [G] MD5: 84A5644AE4731202A4A02E6342D29BA6 PX5: 1FEBA81200EFD9D730B9003B2A2D0F009394D04D
C:\WINDOWS\System32\catsrvut.dll InMem: 1 Det [G] MD5: E3909EAFBDC020052965DEC63E632507 PX5: A88B6EBA00D4077C8A1709DF0F11FA0048E3B1BD
C:\WINDOWS\System32\catsrv.dll InMem: 1 Det [G] MD5: 1CDC42965C6991C97C32F927BA540320 PX5: C3D03030006294C272310367402771000A215A47
C:\WINDOWS\System32\MfcSubs.dll InMem: 1 Det [G] MD5: A82A8C77F419938408881FEB29E83F74 PX5: 06A1416500FC8E0758910018517B2700070A007C
C:\WINDOWS\system32\urlmon.dll InMem: 1 Det [G] MD5: A6CC36E39A223D6E7D4496BDCC46DFC3 PX5: 3DCF99FE00739FF7B25C1164193DCD00441582CB
C:\WINDOWS\system32\wbem\wbemcons.dll InMem: 1 Det [G] MD5: D18D28CEF9FEA09359C7DE7BE3669F66 PX5: D2A452590078C86D1880013923B81600129908C4
c:\windows\system32\dnsrslvr.dll InMem: 1 Det [G] MD5: 7379DE06FD196E396A00AA97B990C00D PX5: A82055DE0039C1C1B21400463DA67900676D3B39
c:\windows\system32\lmhsvc.dll InMem: 1 Det [G] MD5: B3EFF6D938C572E90A07B3D87A3C7657 PX5: 5EB71FFD004FF2DC36A5002FE4AD54000C784AED
c:\windows\system32\webclnt.dll InMem: 1 Det [G] MD5: 265F534EF76832435AFBF771EC97176D PX5: 7D440E0500FE33CB0AC3011EA7E7DA0041324A3D
c:\windows\system32\ssdpsrv.dll InMem: 1 Det [G] MD5: 4B8D61792F7175BED48859CC18CE4E38 PX5: 3235FF16002C0C7218D10148A82C0100526AA176
C:\WINDOWS\system32\spoolsv.exe InMem: 1 Det [G] MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F PX5: 1DCDB07A00179F65E28700A02CD4BA00B29C7A8B
REGSERVICE - \REGISTRY\Machine\SYSTEM\ControlSet001\Services\Spooler - ImagePath [C:\WINDOWS\system32\spoolsv.exe]
C:\WINDOWS\system32\SPOOLSS.DLL InMem: 1 Det [G] MD5: 87B85BC1E1F6E0228876204A20A9C24C PX5: 8D5CE9490034F84624D8013E80575A004AC628A8
C:\WINDOWS\system32\localspl.dll InMem: 1 Det [G] MD5: 71D3D970127D939A4BB062B5040B6EBA PX5: 9C4A0B850023494036A505B96558AE00D351785A
C:\WINDOWS\system32\cnbjmon.dll InMem: 1 Det [G] MD5: 7105749E78925FDFFD078DD54A8C2B70 PX5: CDE2237300970E77B83E00A93E8C15007F646A09
C:\WINDOWS\system32\E_FLBBHP.DLL InMem: 1 Det [G] MD5: B177455360EB2FD7D434D23670513146 PX5: DC0B4E990088AD221EB601C30B1BCA00E83217CC
C:\WINDOWS\system32\pjlmon.dll InMem: 1 Det [G] MD5: C44BC10BA73575C91FF50CDAF4D8E370 PX5: F8A3A716001E74ED3C7B00DCEBD89800DC69D94B
C:\WINDOWS\system32\tcpmon.dll InMem: 1 Det [G] MD5: A3F853629F7F2537157EA6EA9857EA56 PX5: 27DE5C0400117FEBB23700AAE5CE3C005980659C
C:\WINDOWS\system32\usbmon.dll InMem: 1 Det [G] MD5: 242D07D7FC72AD897944BFF932D57C3C PX5: F3F6619C0084C934428300F5F7CA9D0013347394
C:\WINDOWS\system32\win32spl.dll InMem: 1 Det [G] MD5: A1C10F87248529173F39F4B4734DF14B PX5: 87139F5A008883C28E030151228D0A00B37939E4
C:\WINDOWS\system32\inetpp.dll InMem: 1 Det [G] MD5: F14A6BD840E4D7CD4C0535CB3CEF2887 PX5: 8544E6380055F6F22609016155092800B5A9B890
C:\WINDOWS\system32\HookAPI.dll InMem: 1 Det [G] MD5: B73D887592543D6AEA8179FD0BF5BE91 PX5: D40FFAA8009092C6C081002AFD7FCE00F47657AB
C:\WINDOWS\system32\MSCTF.dll InMem: 1 Det [G] MD5: 2B6D3630EB32B562E6763370CE35D730 PX5: ABEE097000935C847E42044E7E6EF900D18CC514
C:\WINDOWS\Explorer.EXE InMem: 1 Det [G] MD5: 97BD6515465659FF8F3B7BE375B2EA87 PX5: 5F224AD100F73BC6C4BA0FDC56B8E4007E783B90
REGWINLOG - \REGISTRY\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - Shell [Explorer.exe]
C:\WINDOWS\system32\BROWSEUI.dll InMem: 1 Det [G] MD5: 9725732633D2FD7D3062851892752542 PX5: FE16586100DC87AF9EB80F2D37E65900CE0E53AC
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{5E6AB780-7743-11CF-A12B-00AA004AE837}\InprocServer32 - {5E6AB780-7743-11CF-A12B-00AA004AE837} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{22BF0C20-6DA7-11D0-B373-00A0C9034938}\InprocServer32 - {22BF0C20-6DA7-11D0-B373-00A0C9034938} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{91EA3F8B-C99B-11d0-9815-00C04FD91972}\InprocServer32 - {91EA3F8B-C99B-11d0-9815-00C04FD91972} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{6413BA2C-B461-11d1-A18A-080036B11A03}\InprocServer32 - {6413BA2C-B461-11d1-A18A-080036B11A03} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{F61FFEC1-754F-11d0-80CA-00AA005B4383}\InprocServer32 - {F61FFEC1-754F-11d0-80CA-00AA005B4383} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{7BA4C742-9E81-11CF-99D3-00AA004AE837}\InprocServer32 - {7BA4C742-9E81-11CF-99D3-00AA004AE837} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{169A0691-8DF9-11d1-A1C4-00C04FD75D13}\InprocServer32 - {169A0691-8DF9-11d1-A1C4-00C04FD75D13} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{07798131-AF23-11d1-9111-00A0C98BA67D}\InprocServer32 - {07798131-AF23-11d1-9111-00A0C98BA67D} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{AF4F6510-F982-11d0-8595-00AA004CD6D8}\InprocServer32 - {AF4F6510-F982-11d0-8595-00AA004CD6D8} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\InprocServer32 - {01E04581-4EEE-11d0-BFE9-00AA005B4383} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{A08C11D2-A228-11d0-825B-00AA005B4383}\InprocServer32 - {A08C11D2-A228-11d0-825B-00AA005B4383} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServer32 - {00BB2763-6A77-11D0-A535-00C04FD7D062} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{7376D660-C583-11d0-A3A5-00C04FD706EC}\InprocServer32 - {7376D660-C583-11d0-A3A5-00C04FD706EC} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{6756A641-DE71-11d0-831B-00AA005B4383}\InprocServer32 - {6756A641-DE71-11d0-831B-00AA005B4383} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}\InprocServer32 - {6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{7e653215-fa25-46bd-a339-34a2790f3cb7}\InprocServer32 - {7e653215-fa25-46bd-a339-34a2790f3cb7} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{acf35015-526e-4230-9596-becbe19f0ac9}\InprocServer32 - {acf35015-526e-4230-9596-becbe19f0ac9} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{00BB2764-6A77-11D0-A535-00C04FD7D062}\InprocServer32 - {00BB2764-6A77-11D0-A535-00C04FD7D062} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServer32 - {03C036F1-A186-11D0-824A-00AA005B4383} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocServer32 - {00BB2765-6A77-11D0-A535-00C04FD7D062} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{ECD4FC4E-521C-11D0-B792-00A0C90312E1}\InprocServer32 - {ECD4FC4E-521C-11D0-B792-00A0C90312E1} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}\InprocServer32 - {3CCF8A41-5C85-11d0-9796-00AA00B90ADF} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{ECD4FC4C-521C-11D0-B792-00A0C90312E1}\InprocServer32 - {ECD4FC4C-521C-11D0-B792-00A0C90312E1} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32 - {ECD4FC4D-521C-11D0-B792-00A0C90312E1} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{DD313E04-FEFF-11d1-8ECD-0000F87A470C}\InprocServer32 - {DD313E04-FEFF-11d1-8ECD-0000F87A470C} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}\InprocServer32 - {EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} [%SystemRoot%\system32\browseui.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{21569614-B795-46b1-85F4-E737A8DC09AD}\InprocServer32 - {21569614-B795-46b1-85F4-E737A8DC09AD} [%SystemRoot%\system32\browseui.dll]
REGTASKSCHED - \REGISTRY\Machine\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InprocServer32 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} [%SystemRoot%\system32\browseui.dll]
REGTASKSCHED - \REGISTRY\Machine\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InprocServer32 - {8C7461EF-2B13-11d2-BE35-3078302C2030} [%SystemRoot%\system32\browseui.dll]
REGTOOLBAR - \REGISTRY\Machine\Software\Classes\CLSID\{01E04581-4EEE-11D0-BFE9-00AA005B4383}\InprocServer32 - {01E04581-4EEE-11D0-BFE9-00AA005B4383} [%SystemRoot%\system32\browseui.dll]
C:\WINDOWS\system32\SHDOCVW.dll InMem: 1 Det [G] MD5: 3331E3D1F3E8B21B32BDF2FDA2EB91D9 PX5: F5586F0D0011C0AACE6416FBC5E29E00A22F2DD0
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}\InprocServer32 - {2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} [%SystemRoot%\system32\shdocvw.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\InprocServer32 - {2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} [%SystemRoot%\system32\shdocvw.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}\InprocServer32 - {2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} [%SystemRoot%\system32\shdocvw.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\InprocServer32 - {2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} [%SystemRoot%\system32\shdocvw.dll]
REGSHELLEXT - \REGISTRY\Machine\Software\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}\InprocServer32 - {2559a1f3-21d7-11d4-bdaf-0