Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan.onlinegames.thx [RESOLVED]


  • This topic is locked This topic is locked

#1
mbha

mbha

    Member

  • Member
  • PipPip
  • 19 posts
Hi:

my system has been infected with trojan.onlinegames.thx. I have installed AVG anti spyware 7.5 and repeated scan display occurances of this trojan and some others as well. The only option available is to quarantine this trojan, but once I do that and scan again, I find another occurance of this trojan in the system.

I tried to search for this virus using Google and could not find any specific removal instruction; therefore, I seek your expert opinion regarding this.

Also, the system is not allowing me to change folder options of "Show System Files and Folders" and does not let me uncheck "Hide Protected Operating System Files.

Thanks & Regards,
MBHA

Hijack This Log is as under:
================================================================================
==================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:40 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mahim\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10436 bytes
================================================================================
==================
  • 0

Advertisements


#2
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello mbha , welcome to GeeksToGo! :)

My name is Tal, and I will be assisting you in the process of removing malware from your computer. I am going through your logs now, and I'll be back soon with instructions on how to proceed.

As I'm still in training, my replies to you have to be approved before posting, so please excuse delays between replies.

Tal.
  • 0

#3
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks a lot for looking into this problem... Please take your time.
  • 0

#4
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello mbha ,

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you witness a certain entry or program you're unsure about, please don't hesitate to ask! :)

Step1 : Correcting entry with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe



Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Step2 : Deleting file in Safe Mode

First, let's make Windows show hidden files and folders. Hidden files and folders are usually systems files and they are hidden to prevent users from accidentally deleting them. However, malware often uses hidden files and folders to prevent its deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Please save the following instructions in a notepad file on your desktop as you will not be able to access this website during this stage of the fix.

Restart your computer and as soon as it start booting up, continuously press F8. A menu will show up. Choose Safe Mode using the enter keys and press enter. Note that Safe Mode might take some time to load, so please be patient.

After the computer has entered Safe Mode, navigate to the following folders, and delete the following files marked in bold:

C:\WINDOWS\system32\amvo.exe

Restart your computer. It will reboot back automatically into Normal Mode.

Step3 : Scanning with DSS

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

In your next reply, please include both DSS logs.

Regards & good night,

Tal
  • 0

#5
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Tal:

I followed your instructions verbatim. The details for your reference are as under:

Step1 : Correcting entry with HijackThis: Followed instructions and Fixed entry using HiJackThis only after closing all the applications and browser windows.

Step2 : Deleting file in Safe Mode: I followed steps mentioned above to view "Hidden" files but system automatically reverts back to "Do Not Show Hidden Files and Folders" automatically as soon as we hit "Apply" and "OK" button. This was the problem that I had highlighted in my first post too. The system did not allow any changes for this setting even in safe mode.

I was not able to find amvo.exe in C:\WINDOWS\system32, but found amvo.dll instead.. Please tell me what should I do with amvo.dll?


Step3 : Scanned using DSS and Here is Main Log

=====================================================
Deckard's System Scanner v20071014.68
Run by Mahim on 2008-03-31 23:19:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mahim.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:58 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Mahim\Desktop\dss.exe
C:\DOCUME~1\Mahim\Desktop\Mahim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10412 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Mahim\Desktop\backups\) ---------------

backup-20080323-020736-241 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080331-223944-376 O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>
R2 EGATHDRV (IBM eGatherer) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
R2 pmem - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 smi2 - c:\program files\smi2\smi2.sys <Not Verified; IBM Corp.; TVT SMI Bios driver>
R2 tvtfilter - c:\windows\system32\drivers\tvtfilter.sys <Not Verified; Lenovo; Rescue and Recovery>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 psadd (Lenovo Parties Service Access Device Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; Lenovo; PSA Driver>

S1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 PcdrNdisuio (PCDRNDISUIO Usermode I/O Protocol) - c:\windows\system32\drivers\pcdrndisuio.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>
R2 PMSveH - c:\program files\lenovo\pm driver\pmsveh.exe <Not Verified; Lenovo; PMSveH>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 SUService (System Update) - c:\program files\lenovo\system update\suservice.exe <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>

S2 xmppd-jse (Collaboration Runtime Service) - c:\program files\sun\jstudio_ent81\collab\bin\xmppd-jse.exe
S3 Cwbrxd (Client Access Express Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM® AS/400® Client Access Express for Windows®>
S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe (file missing)
S3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-20 16:26:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 22:35:45 103704 -r-hs---- C:\q.com
2008-03-31 22:34:29 70656 --a------ C:\WINDOWS\system32\a_m_v_o_0.dll
2008-03-30 22:31:22 103624 -r-hs---- C:\rthrw.com
2008-03-30 00:14:16 103421 -r-hs---- C:\jiwsxh39.exe
2008-03-29 00:21:02 16384 --a------ C:\WINDOWS\system32\WorkAfterReboot.exe
2008-03-28 22:13:45 103953 -r-hs---- C:\gjn2pjlw.exe
2008-03-23 02:08:30 0 d-------- C:\smitRem
2008-03-23 01:48:54 0 d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:09:49 0 d-------- C:\Documents and Settings\Mahim\.housecall6.6
2008-03-23 00:51:48 100883 -r-hs---- C:\cb.bat
2008-03-23 00:51:22 70656 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2008-03-22 21:02:25 103704 -r-hs---- C:\WINDOWS\system32\amvo.exe
2008-03-01 19:21:36 0 d-------- C:\Documents and Settings\Mahim\Application Data\webex


-- Find3M Report ---------------------------------------------------------------

2008-03-30 00:10:54 5427 --a------ C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2008-03-28 22:53:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 22:52:08 0 d-------- C:\Program Files\Common Files
2008-03-21 01:35:18 0 d-------- C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-03-19 22:55:11 4964 --a------ C:\Documents and Settings\Mahim\Application Data\NMM-MetaData.db
2008-03-19 22:46:50 212 --a------ C:\WINDOWS\recover.reg
2008-02-27 00:45:50 0 d-------- C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-27 00:32:46 0 d-------- C:\Program Files\WordWeb
2008-02-27 00:10:31 0 d-------- C:\Program Files\NetMeter
2008-02-26 23:46:20 0 d-------- C:\Program Files\Logtime
2008-02-26 23:37:02 0 d-------- C:\Documents and Settings\Mahim\Application Data\GetRightToGo
2008-02-15 22:03:57 0 d-------- C:\Program Files\Western Digital Technologies
2008-02-07 22:47:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 22:46:53 0 d-------- C:\Program Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-03-31 23:20:43 ------------

==========================================================
  • 0

#6
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the extra log:
=====================================
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5500 @ 1.66GHz
CPU 1: Intel® Core™2 CPU T5500 @ 1.66GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1014.11 MiB / 555.28 MiB
Pagefile Memory (total/avail): 2441.25 MiB / 2026.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.43 MiB

C: is Fixed (NTFS) - 69.61 GiB total, 28.86 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080BH PL - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 69.61 GiB - C:
\PARTITION1 - Unknown - 4.92 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mahim\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip;C:\Program Files\Apache Software Foundation\Tomcat .;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip;
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LENOVO-F9BBC26C
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mahim
LOGONSERVER=\\LENOVO-F9BBC26C
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=;C:\Program Files\Java\jdk1.5.0\bin;.;C:\Program Files\Common Files\Lenovo;C:\Program Files\Lenovo\Client Security Solution;C:\Program Files\Sun\jstudio_ent81\ide\uml2\modules\DoorsIntegrationFiles\modules\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
RR=C:\Program Files\Lenovo\Rescue and Recovery
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SWSHARE=C:\SWSHARE
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mahim\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mahim\LOCALS~1\Temp
TPCCommon=C:\PROGRA~1\Lenovo\LENOVO~2
TVT=C:\Program Files\Lenovo
TVTCOMMON=C:\Program Files\Common Files\Lenovo
TVTPYDIR=C:\Program Files\Common Files\Lenovo\Python24
USERDOMAIN=LENOVO-F9BBC26C
USERNAME=Mahim
USERPROFILE=C:\Documents and Settings\Mahim
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Mahim (admin)
Nidhi
Aseem
Geetika


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type15777 / Error
Event Submitted/Written: 03/31/2008 11:14:25 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type15776 / Error
Event Submitted/Written: 03/31/2008 11:14:24 PM
Event ID/Source: 0 / xmppd-jse
Event Description:
XMPP: Couldn't load any of the following Java VMs from C:\Program Files\Java\jdk1.5.0: jre\bin\jvm.dll, bin\jvm.dll, jre\bin\server\jvm.dll, bin\server\jvm.dll, jre\bin\client\jvm.dll, bin\client\jvm.dll, : 3 The system cannot find the path specified.

Event Record #/Type15767 / Error
Event Submitted/Written: 03/31/2008 10:33:32 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type15765 / Error
Event Submitted/Written: 03/31/2008 10:33:31 PM
Event ID/Source: 0 / xmppd-jse
Event Description:
XMPP: Couldn't load any of the following Java VMs from C:\Program Files\Java\jdk1.5.0: jre\bin\jvm.dll, bin\jvm.dll, jre\bin\server\jvm.dll, bin\server\jvm.dll, jre\bin\client\jvm.dll, bin\client\jvm.dll, : 3 The system cannot find the path specified.

Event Record #/Type15755 / Error
Event Submitted/Written: 03/30/2008 10:29:00 PM / 03/30/2008 10:29:01 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24146 / Error
Event Submitted/Written: 03/31/2008 11:15:50 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
TPHKDRV

Event Record #/Type24145 / Error
Event Submitted/Written: 03/31/2008 11:15:50 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Collaboration Runtime Service service terminated with the following error:
%%3

Event Record #/Type24143 / Error
Event Submitted/Written: 03/31/2008 11:14:05 PM / 03/31/2008 11:14:35 PM
Event ID/Source: 4307 / NetBT
Event Description:
Initialization failed because the transport refused to open initial Addresses.

Event Record #/Type24138 / Error
Event Submitted/Written: 03/31/2008 11:13:14 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type24137 / Error
Event Submitted/Written: 03/31/2008 11:10:27 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-03-31 23:20:43 ------------

=============================
  • 0

#7
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi, sorry about the delay.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\a_m_v_o_0.dll
    C:\q.com
    C:\rthrw.com
    C:\jiwsxh39.exe
    C:\WINDOWS\system32\WorkAfterReboot.exe
    C:\gjn2pjlw.exe
    C:\WINDOWS\system32\amvo1.dll
    C:\WINDOWS\system32\amvo.exe
    C:\cb.bat
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

In your next reply, please include the OTMoveIt log as well as a new DSS log. Note that DSS will only generate a shortened version of the main.txt log this time.

Regards,

Tal :)
  • 0

#8
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Tal,

Thanks a lot for your reply:

I followed steps given by you and here are the logs for your reference:

Move it Log:
========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\a_m_v_o_0.dll
C:\WINDOWS\system32\a_m_v_o_0.dll NOT unregistered.
C:\WINDOWS\system32\a_m_v_o_0.dll moved successfully.
C:\q.com moved successfully.
C:\rthrw.com moved successfully.
C:\jiwsxh39.exe moved successfully.
C:\WINDOWS\system32\WorkAfterReboot.exe moved successfully.
C:\gjn2pjlw.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\amvo1.dll NOT unregistered.
C:\WINDOWS\system32\amvo1.dll moved successfully.
C:\WINDOWS\system32\amvo.exe moved successfully.
C:\cb.bat moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04032008_224502
========


Here is the DSS Main.txt:
================
Deckard's System Scanner v20071014.68
Run by Mahim on 2008-04-03 22:47:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mahim.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:35 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mahim\Desktop\dss.exe
C:\DOCUME~1\Mahim\Desktop\Mahim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10598 bytes

-- Files created between 2008-03-03 and 2008-04-03 -----------------------------

2008-03-31 23:30:54 70656 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-03-23 02:08:30 0 d-------- C:\smitRem
2008-03-23 01:48:54 0 d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:09:49 0 d-------- C:\Documents and Settings\Mahim\.housecall6.6


-- Find3M Report ---------------------------------------------------------------

2008-03-30 00:10:54 5427 --a------ C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2008-03-28 22:53:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 22:52:08 0 d-------- C:\Program Files\Common Files
2008-03-21 01:35:18 0 d-------- C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-03-19 22:55:11 4964 --a------ C:\Documents and Settings\Mahim\Application Data\NMM-MetaData.db
2008-03-19 22:46:50 212 --a------ C:\WINDOWS\recover.reg
2008-03-01 19:21:49 0 d-------- C:\Documents and Settings\Mahim\Application Data\webex
2008-02-27 00:45:50 0 d-------- C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-27 00:32:46 0 d-------- C:\Program Files\WordWeb
2008-02-27 00:10:31 0 d-------- C:\Program Files\NetMeter
2008-02-26 23:46:20 0 d-------- C:\Program Files\Logtime
2008-02-26 23:37:02 0 d-------- C:\Documents and Settings\Mahim\Application Data\GetRightToGo
2008-02-15 22:03:57 0 d-------- C:\Program Files\Western Digital Technologies
2008-02-07 22:47:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 22:46:53 0 d-------- C:\Program Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-04-03 22:47:57 ------------

====================================================

I am still unable to see the hidden file & folders....

When I click on C: drive, I get an error message "Choose a program to you want to use to open this file".

However, I am able to click on DVD drive i.e. D: drive and open it.

Please advise.

Thanks & Regards,
Mbha
  • 0

#9
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello mbha,

First off, I would like to ask you NOT to connect any flashdisks, cameras, and anything that connects to the computer and has memory. Doing this may cause re-infection of your system. Now, let's continue - seems like the infection you had previously has returned.

Step1 : Correcting entry with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step2 : Deleting file with OTMoveIt

Please re-open OTMoveIt2 which we have downloaded previously.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    C:\WINDOWS\system32\amvo.exe
  • Right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2.

Step3 : Online anti virus scan

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step4 : Registry Fix

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process :)

To backup your registry, click Start > Run > Type regedit into the box > Click OK > In the window that shows up, click File > Export... > Name the file RegistryBackup > Save it in a convenient location such as your desktop.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:

REGEDIT4 

[HKEY_CLASSES_ROOT\Drive]
@="Drive"
"EditFlags"=hex:d2,01,00,00

[HKEY_CLASSES_ROOT\Drive\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
  65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,38,00,00,00

[HKEY_CLASSES_ROOT\Drive\shell]
@="none"

[HKEY_CLASSES_ROOT\Drive\shell\cmd]
@="Open Command Window Here"

[HKEY_CLASSES_ROOT\Drive\shell\cmd\command]
@="cmd.exe /k \"cd %L\""

[HKEY_CLASSES_ROOT\Drive\shell\find]
"SuppressionPolicy"=dword:00000080

[HKEY_CLASSES_ROOT\Drive\shell\find\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\
  65,00,00,00

[HKEY_CLASSES_ROOT\Drive\shell\find\ddeexec]
@="[FindFolder(\"%l\", %I)]"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\Drive\shell\find\ddeexec\application]
@="Folders"

[HKEY_CLASSES_ROOT\Drive\shell\find\ddeexec\topic]
@="AppProperties"

[HKEY_CLASSES_ROOT\Drive\shellex]

[HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\ImagePreview]
@="{02A62A55-544C-42CD-8EE0-F364E8338D3D}"

[HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\Sharing]
@="{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"

[HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\{59099400-57FF-11CE-BD94-0020AF85B590}]

[HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@=""

[HKEY_CLASSES_ROOT\Drive\shellex\DragDropHandlers]

[HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions]

[HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@=""
"DriveMask"=dword:00000020

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\Sharing]
@="{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\ShellExtensionPropSheet]
@="{A464F9AE-3108-4A4B-AA37-F7546589D961}"

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00AA006E086C}]

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{7988B573-EC89-11cf-9C00-00AA00A14F56}]
@=""

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}]

[HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@=""

Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix2.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.

Please include a new DSS log in your next reply, as well as the OTMoveIt log and the Kaspersky log :)

Tal
  • 0

#10
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Tal,

Performed steps given by you.

Here are the logs:

OTMoveIt2 Log
=========
File/Folder C:\WINDOWS\system32\amvo.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04052008_235447


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 06, 2008 2:28:58 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 685135
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 83051
Number of viruses found: 13
Number of infected objects: 59
Number of suspicious objects: 0
Duration of the scan process: 01:34:49

Infected Object Name / Virus Name / Last Action
C:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.zex skipped
C:\Deckard\System Scanner\20080403224731\backup\DOCUME~1\Mahim\LOCALS~1\Temp\4vepxtuf.dll Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\Deckard\System Scanner\20080403224731\backup\DOCUME~1\Mahim\LOCALS~1\Temp\5o.dll Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped
C:\Deckard\System Scanner\20080403224731\backup\DOCUME~1\Mahim\LOCALS~1\Temp\5qno.dll Infected: Trojan-PSW.Win32.OnLineGames.yoi skipped
C:\Deckard\System Scanner\20080403224731\backup\DOCUME~1\Mahim\LOCALS~1\Temp\cmctva4c.dll Infected: Worm.Win32.AutoRun.des skipped
C:\Documents and Settings\All Users\Application Data\Lenovo\messages\logs\lf000.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mahim\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Mahim\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\History\History.IE5\MSHist012008040620080407\index.dat Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\Temp\54j.dll Infected: Trojan-PSW.Win32.OnLineGames.zex skipped
C:\Documents and Settings\Mahim\Local Settings\Temp\cmctva4c.dll Infected: Worm.Win32.AutoRun.des skipped
C:\Documents and Settings\Mahim\Local Settings\Temp\~DF23D2.tmp Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mahim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mahim\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mahim\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Softex\OmniPass\btype0.dat Object is locked skipped
C:\Program Files\Softex\OmniPass\btype1.dat Object is locked skipped
C:\Program Files\Softex\OmniPass\btype2.dat Object is locked skipped
C:\Program Files\Softex\OmniPass\btype256.dat Object is locked skipped
C:\Program Files\Softex\OmniPass\btype259.dat Object is locked skipped
C:\Program Files\Softex\OmniPass\btype3.dat Object is locked skipped
C:\Program Files\Softex\OmniPass\btype4.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023137.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023146.exe Infected: Backdoor.Win32.PcClient.wi skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023481.exe Infected: Trojan-PSW.Win32.OnLineGames.wde skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023483.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023497.dll Infected: Trojan-PSW.Win32.OnLineGames.wdc skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023499.bat Infected: Trojan-PSW.Win32.OnLineGames.wde skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023500.inf Infected: Trojan-PSW.Win32.OnLineGames.wev skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023527.bat Infected: Trojan-PSW.Win32.OnLineGames.wde skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023528.inf Infected: Trojan-PSW.Win32.OnLineGames.wev skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023529.exe Infected: Trojan-PSW.Win32.OnLineGames.wde skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023530.dll Infected: Trojan-PSW.Win32.OnLineGames.wdc skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023543.exe Infected: Email-Worm.Win32.Brontok.q skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023544.exe Infected: Email-Worm.Win32.Brontok.q skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023936.dll Infected: Trojan-PSW.Win32.OnLineGames.wdc skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023938.exe Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0023939.inf Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024053.dll Infected: Trojan-PSW.Win32.OnLineGames.yld skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024056.exe Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024057.inf Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024077.dll Infected: Trojan-PSW.Win32.OnLineGames.yld skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024084.exe Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024085.inf Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024109.dll Infected: Trojan-PSW.Win32.OnLineGames.yld skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024116.exe Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024117.inf Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024118.exe Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024119.dll Infected: Trojan-PSW.Win32.OnLineGames.yld skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024141.dll Infected: Trojan-PSW.Win32.OnLineGames.yld skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024145.exe Infected: Trojan-PSW.Win32.OnLineGames.yoi skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024146.inf Infected: Trojan-PSW.Win32.OnLineGames.yoi skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024148.exe Infected: Trojan-PSW.Win32.OnLineGames.yoi skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024149.dll Infected: Trojan-PSW.Win32.OnLineGames.yoi skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024172.com Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024177.exe Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024178.dll Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024185.dll Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024225.exe Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024226.com Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024227.inf Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024249.dll Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024250.com Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024251.inf Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\A0024254.exe Infected: Worm.Win32.AutoRun.des skipped
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP61\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\amvo0.dll Infected: Trojan-PSW.Win32.OnLineGames.zda skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\cb.bat Infected: Trojan-PSW.Win32.OnLineGames.wde skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\gjn2pjlw.exe Infected: Trojan-PSW.Win32.OnLineGames.yky skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\jiwsxh39.exe Infected: Trojan-PSW.Win32.OnLineGames.yoi skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\q.com Infected: Worm.Win32.AutoRun.des skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\rthrw.com Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\WINDOWS\system32\amvo.exe Infected: Trojan-PSW.Win32.OnLineGames.zex skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\WINDOWS\system32\amvo1.dll Infected: Worm.Win32.AutoRun.des skipped
C:\_OTMoveIt\MovedFiles\04032008_224502\WINDOWS\system32\a_m_v_o_0.dll Infected: Trojan-PSW.Win32.OnLineGames.yqo skipped

Scan process completed.
============================================

Deckard's System Scanner v20071014.68
Run by Mahim on 2008-04-06 02:31:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mahim.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:50 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Mahim\Desktop\dss.exe
C:\DOCUME~1\Mahim\Desktop\Mahim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10624 bytes

-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-05 23:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-05 23:57:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 23:57:20 0 d-------- C:\WINDOWS\LastGood
2008-03-31 23:30:54 70656 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-03-23 02:08:30 0 d-------- C:\smitRem
2008-03-23 01:48:54 0 d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:09:49 0 d-------- C:\Documents and Settings\Mahim\.housecall6.6


-- Find3M Report ---------------------------------------------------------------

2008-04-06 00:00:00 5427 --a------ C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2008-03-28 22:53:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 22:52:08 0 d-------- C:\Program Files\Common Files
2008-03-21 01:35:18 0 d-------- C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-03-19 22:55:11 4964 --a------ C:\Documents and Settings\Mahim\Application Data\NMM-MetaData.db
2008-03-19 22:46:50 212 --a------ C:\WINDOWS\recover.reg
2008-03-01 19:21:49 0 d-------- C:\Documents and Settings\Mahim\Application Data\webex
2008-02-27 00:45:50 0 d-------- C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-27 00:32:46 0 d-------- C:\Program Files\WordWeb
2008-02-27 00:10:31 0 d-------- C:\Program Files\NetMeter
2008-02-26 23:46:20 0 d-------- C:\Program Files\Logtime
2008-02-26 23:37:02 0 d-------- C:\Documents and Settings\Mahim\Application Data\GetRightToGo
2008-02-15 22:03:57 0 d-------- C:\Program Files\Western Digital Technologies
2008-02-07 22:47:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 22:46:53 0 d-------- C:\Program Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-04-06 02:32:00 ------------

=====================================================

Although I dont remember adding any memory device recently, I will be more careful till I get a go-ahead by you.

Thanks,
MBHA
  • 0

Advertisements


#11
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello mbha,

How is the computer doing? Do you experience any of the issues you've mentioned in your previous posts anymore?

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

  • Please double-click OTMoveIt2.exe (where you've saved it) to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\amvo0.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Also, please navigate to the C:/ drive and right click on a file named autorun.inf > Choose 'Open With' > Click on 'Notepad'. Copy the contents of that file in your next reply.

Include the autorun.inf contents, OTMoveIt log and a new DSS log in your next reply :)

Edited by landlord, 06 April 2008 - 11:21 AM.

  • 0

#12
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Tal,

Ran ATF cleaner as per your comments.
--------------
Moved amvo0.dll and here is the log for your reference:
DllUnregisterServer procedure not found in C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo0.dll NOT unregistered.
C:\WINDOWS\system32\amvo0.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04072008_001857

--------------
Here are contents of autorun.inf when opened using notepad:
;wwrs7qaAiepkis4A44s78ass3i4i3D5aKoiDoisjqld95nq13k3eS2wp4J42l3rLsaI3f0la20
[AutoRun]
;ij1possKjq23e4siwLd2332kq
open=ranvrgn.exe
;KlkwqLkKUr4aqAa3713SZOoZLwsl0kqdl329dLol2Dd24paw24kp0kK3k4a33sfJS1Sw7wp9LqqLsdl
jjXJd542coHJJLawa23os822ssaAliaskeA
shell\open\Command=ranvrgn.exe
;aas2waaca33Dd01KKiaX724kk91rokS2slI2oOsisrwsqeLf1KDs3eqekkA5kZ4woi3D4wKL6rfl9L1
Do3jLdK2fClr2fAJwDlo0As
shell\open\Default=1
;oA931dK340ro9lJq5sdLrla5r4jkSi127ale7ls3o1kwdZAsas02D
shell\explore\Command=ranvrgn.exe
;llwwjLsspJ4a3jff4wk24kJswKolnkd2Kes3Xe7Ld3akKk3liqdlqkjf2adLoDAlmA2iD
---------------

Here is latest DSS log:
---------------
Deckard's System Scanner v20071014.68
Run by Mahim on 2008-04-07 00:26:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mahim.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:15 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\Mahim\Desktop\dss.exe
C:\DOCUME~1\Mahim\Desktop\Mahim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10780 bytes

-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-05 23:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-05 23:57:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-23 02:08:30 0 d-------- C:\smitRem
2008-03-23 01:48:54 0 d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:09:49 0 d-------- C:\Documents and Settings\Mahim\.housecall6.6


-- Find3M Report ---------------------------------------------------------------

2008-04-06 00:00:00 5427 --a------ C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2008-03-28 22:53:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 22:52:08 0 d-------- C:\Program Files\Common Files
2008-03-21 01:35:18 0 d-------- C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-03-19 22:55:11 4964 --a------ C:\Documents and Settings\Mahim\Application Data\NMM-MetaData.db
2008-03-19 22:46:50 212 --a------ C:\WINDOWS\recover.reg
2008-03-01 19:21:49 0 d-------- C:\Documents and Settings\Mahim\Application Data\webex
2008-02-27 00:45:50 0 d-------- C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-27 00:32:46 0 d-------- C:\Program Files\WordWeb
2008-02-27 00:10:31 0 d-------- C:\Program Files\NetMeter
2008-02-26 23:46:20 0 d-------- C:\Program Files\Logtime
2008-02-26 23:37:02 0 d-------- C:\Documents and Settings\Mahim\Application Data\GetRightToGo
2008-02-15 22:03:57 0 d-------- C:\Program Files\Western Digital Technologies
2008-02-07 22:47:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-07 22:46:53 0 d-------- C:\Program Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-04-07 00:26:26 ------------

I am still facing the old problems like unable to view hidden file folders, unable to click on C: drive and open it using windows explorer.
Yesterday as per your suggestion, I had performed online scan using KASPERSKY ONLINE SCANNER and it had reported that system was infected with 13 virus and 59 objects were infected. I hope you must have seen the log in this thread. Please advise.

Thanks & Regards,
Mahim
  • 0

#13
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi mbha,

Yesterday as per your suggestion, I had performed online scan using KASPERSKY ONLINE SCANNER and it had reported that system was infected with 13 virus and 59 objects were infected. I hope you must have seen the log in this thread. Please advise.


Not everything that Kaspersky marks as 'infected' is actually a virus. Most of the infections Kaspersky found were in the System Restore folder. This means that when Windows created a restore point, it 'saved' the infections with it. There is no reason to worry about these though, because they cannot hurt your system from that folder. We can flush old restore points when your computer is clean. As for the rest of the infections, they have been cleaned when we've run ATF previously. ATF empties Temporary File folders, where you had several infected files :)

Now, let's run a rootkit scan, since I suspect of something deeper here that prevents me from fixing your problems using a registry fix.

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#14
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Tal,

Thanks a lot for giving me some insight about Kapersky scan.

Here is the GMER log for your reference.
-----------------------------------------------
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-10 02:09:58
Windows 5.1.2600 Service Pack 2

.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxParamW 7E425F8F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxIndirectParamW 7E432062 5 Bytes JMP 430A17EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxIndirectA 7E43A06A 5 Bytes JMP 430A1770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxParamA 7E43B12C 5 Bytes JMP 430A17B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxExW 7E450750 5 Bytes JMP 430A16FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxExA 7E450774 5 Bytes JMP 430A1736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxIndirectParamA 7E456CD0 5 Bytes JMP 430A182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxIndirectW 7E466425 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel code sections - GMER 1.0.14 ----

.text win32k.sys!HT_ComputeRGBGammaTable + FFE82240 BF800393 1 Byte [ B5 ]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE822C6 BF800419 1 Byte [ C1 ]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE822CB BF80041E 1 Byte [ E6 ]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE822DA BF80042D 2 Bytes [ 06, 38 ]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE822DF BF800432 1 Byte [ F4 ]
.text win32k.sys!EngAcquireSemaphore + D BF80657D 24 Bytes [ 48, 1C, 8B, 4D, 08, E8, BE, ... ]
.text win32k.sys!EngAcquireSemaphore + 26 BF806596 47 Bytes CALL BF801959 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAcquireSemaphore + 56 BF8065C6 47 Bytes [ FF, 55, 8B, EC, 83, EC, 0C, ... ]
.text win32k.sys!EngAcquireSemaphore + 87 BF8065F7 12 Bytes [ 0F, 85, EF, 00, 00, 00, 8B, ... ]
.text win32k.sys!EngAcquireSemaphore + 94 BF806604 12 Bytes [ 89, 03, 8B, 06, 8B, 48, 2C, ... ]
.text win32k.sys!EngFreeUserMem + 2 BF809B56 8 Bytes [ FF, 5F, 8B, C6, 5E, 5B, C9, ... ]
.text win32k.sys!EngFreeUserMem + C BF809B60 20 Bytes [ 85, DB, 75, EC, 6A, 01, 8B, ... ]
.text win32k.sys!EngFreeUserMem + 21 BF809B75 44 Bytes [ FF, 55, 8B, EC, 83, EC, 14, ... ]
.text win32k.sys!EngFreeUserMem + 4E BF809BA2 111 Bytes CALL BF8FAE87 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreeUserMem + BE BF809C12 96 Bytes CALL BF805A84 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteSurface + 2F BF813AD1 57 Bytes [ FF, 8B, C7, 5F, 5B, 5E, C9, ... ]
.text win32k.sys!EngDeleteSurface + 69 BF813B0B 38 Bytes [ 11, 68, 20, 4E, 00, 00, FF, ... ]
.text win32k.sys!EngDeleteSurface + 90 BF813B32 25 Bytes [ 00, 89, 45, FC, 8D, 4D, E4, ... ]
.text win32k.sys!EngDeleteSurface + AA BF813B4C 5 Bytes [ 87, 33, C0, EB, 83 ]
.text win32k.sys!EngDeleteSurface + B0 BF813B52 58 Bytes [ 90, 90, 90, 90, 8B, FF, 56, ... ]
.text win32k.sys!EngNineGrid + 8F BF81729C 121 Bytes JMP 80538BD0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text win32k.sys!EngNineGrid + 109 BF817316 56 Bytes [ D9, 8B, 53, 18, 8B, 4B, 08, ... ]
.text win32k.sys!EngNineGrid + 142 BF81734F 86 Bytes [ 73, 1C, 0F, AF, 30, C1, E6, ... ]
.text win32k.sys!EngNineGrid + 199 BF8173A6 4 Bytes [ D8, 03, 45, E8 ]
.text win32k.sys!EngNineGrid + 19E BF8173AB 61 Bytes [ 4D, F4, 0F, AF, D0, F7, DA, ... ]
.text win32k.sys!EngTransparentBlt + C BF819330 51 Bytes [ FF, 55, 8B, EC, 81, EC, 0C, ... ]
.text win32k.sys!EngTransparentBlt + 41 BF819365 10 Bytes [ A5, 8B, F1, 8B, 4B, 0C, 8D, ... ]
.text win32k.sys!EngTransparentBlt + 4C BF819370 18 Bytes [ 50, A5, 50, 89, 4D, 08, 53, ... ]
.text win32k.sys!EngTransparentBlt + 5F BF819383 2 Bytes [ 8B, 46 ]
.text win32k.sys!EngTransparentBlt + 62 BF819386 9 Bytes [ 33, FF, 57, 57, 56, 8D, 4D, ... ]
.text win32k.sys!EngCreateDeviceBitmap + D BF8198B5 10 Bytes [ 55, 8B, EC, 68, EF, BE, AD, ... ]
.text win32k.sys!EngCreateDeviceBitmap + 19 BF8198C1 1 Byte [ 14 ]
.text win32k.sys!EngCreateDeviceBitmap + 1B BF8198C3 4 Bytes [ 00, FF, 75, 10 ]
.text win32k.sys!EngCreateDeviceBitmap + 20 BF8198C8 11 Bytes [ 75, 0C, FF, 75, 08, 6A, 03, ... ]
.text win32k.sys!EngCreateDeviceBitmap + 2C BF8198D4 27 Bytes [ 5D, C2, 10, 00, 90, 90, 90, ... ]
.text win32k.sys!EngAssociateSurface + 55 BF8199C5 30 Bytes [ FF, FF, 85, C0, 75, 21, E8, ... ]
.text win32k.sys!EngAssociateSurface + 74 BF8199E4 39 Bytes CALL BF8198DA \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAssociateSurface + 9C BF819A0C 47 Bytes [ 8B, C7, 5E, 5B, 5F, 5D, C2, ... ]
.text win32k.sys!EngRestoreFloatingPointState + 29 BF819A3C 27 Bytes [ 0F, 9D, C1, 8B, C1, 5D, C2, ... ]
.text win32k.sys!EngSaveFloatingPointState + 11 BF819A58 118 Bytes [ EC, 20, 56, 8B, 75, 08, 85, ... ]
.text win32k.sys!EngQueryPerformanceCounter + 2B BF819AD1 49 Bytes [ 90, 90, 33, C0, 40, C3, 90, ... ]
.text win32k.sys!EngQueryPerformanceCounter + 5E BF819B04 79 Bytes [ 85, C0, 7C, DB, FF, 75, E4, ... ]
.text win32k.sys!EngQueryPerformanceCounter + AE BF819B54 49 Bytes [ 06, 83, 4D, FC, FF, EB, C8, ... ]
.text win32k.sys!EngQueryPerformanceCounter + E0 BF819B86 18 Bytes [ C5, 98, BF, 3B, 05, 30, 9F, ... ]
.text win32k.sys!EngQueryPerformanceCounter + F3 BF819B99 15 Bytes [ 8B, 0E, FF, 15, C0, C3, 98, ... ]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 21 BF81B649 15 Bytes [ FE, FF, C2, 18, 00, 33, C0, ... ]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 31 BF81B659 39 Bytes [ 55, 8B, EC, 56, 8B, F1, 8B, ... ]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 59 BF81B681 85 Bytes [ 85, C0, 75, 30, 8B, 46, 34, ... ]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + AF BF81B6D7 31 Bytes [ FF, 55, 8B, EC, 56, 8B, 75, ... ]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + CF BF81B6F7 10 Bytes [ 33, D2, 42, FF, 15, 2C, C4, ... ]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 4 BF81B724 54 Bytes [ 48, 18, 89, 4E, 48, 89, 7E, ... ]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 3B BF81B75B 3 Bytes CALL 4581B6A4
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 3F BF81B75F 14 Bytes JMP EB047089
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 4E BF81B76E 61 Bytes [ FF, 55, 8B, EC, 83, 3D, 48, ... ]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 8C BF81B7AC 7 Bytes [ EB, A3, 8B, F0, E9, A0, 00 ]
.text win32k.sys!EngMulDiv + 4 BF81F6BF 1 Byte [ D0 ]
.text win32k.sys!EngMulDiv + 6 BF81F6C1 57 Bytes CALL BF8019B7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMulDiv + 40 BF81F6FB 38 Bytes [ FF, 7F, EB, 5F, F7, DE, F7, ... ]
.text win32k.sys!EngMulDiv + 67 BF81F722 13 Bytes [ 4D, 10, 85, C9, 74, C9, 7C, ... ]
.text win32k.sys!EngMulDiv + 75 BF81F730 130 Bytes [ F8, 8B, DA, 8B, C1, 99, 2B, ... ]
.text win32k.sys!EngSetLastError + 4 BF821221 63 Bytes [ 51, 08, 3B, 50, 08, 75, 17, ... ]
.text win32k.sys!EngSetLastError + 44 BF821261 79 Bytes [ 8B, C6, 5E, 5D, C2, 08, 00, ... ]
.text win32k.sys!EngSetLastError + 94 BF8212B1 309 Bytes [ 55, 8B, EC, 83, EC, 0C, 8B, ... ]
.text win32k.sys!EngSetLastError + 1CA BF8213E7 14 Bytes [ EC, 8B, 45, 10, 03, C0, 89, ... ]
.text win32k.sys!EngSetLastError + 1DA BF8213F7 108 Bytes [ 6A, 00, 6A, 00, FF, 75, 08, ... ]
.text win32k.sys!CLIPOBJ_cEnumStart + 4 BF828E4C 12 Bytes [ 32, 05, 10, 02, 00, 00, 85, ... ]
.text win32k.sys!CLIPOBJ_cEnumStart + 11 BF828E59 25 Bytes [ 02, 00, 00, 85, C0, 74, 16, ... ]
.text win32k.sys!CLIPOBJ_bEnum + 9 BF828E73 42 Bytes [ 01, 89, 02, 5E, 5D, C2, 08, ... ]
.text win32k.sys!CLIPOBJ_bEnum + 34 BF828E9E 19 Bytes [ 75, 18, 8B, 4D, 08, FF, 75, ... ]
.text win32k.sys!CLIPOBJ_bEnum + 49 BF828EB3 1 Byte [ 14 ]
.text win32k.sys!CLIPOBJ_bEnum + 4B BF828EB5 34 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!CLIPOBJ_bEnum + 6E BF828ED8 37 Bytes [ 55, 8B, EC, 8B, 45, 0C, 56, ... ]
.text win32k.sys!EngLpkInstalled + 1 BF82A3DE 98 Bytes [ 91, AC, 00, 00, 00, 8B, 45, ... ]
.text win32k.sys!EngLpkInstalled + 64 BF82A441 1 Byte [ 94 ]
.text win32k.sys!EngLpkInstalled + 66 BF82A443 1 Byte [ 10 ]
.text win32k.sys!EngLpkInstalled + 68 BF82A445 17 Bytes [ 0F, 95, C0, C3, 90, 90, 90, ... ]
.text win32k.sys!EngLpkInstalled + 7B BF82A458 43 Bytes [ 00, 8B, 91, B0, 00, 00, 00, ... ]
.text win32k.sys!EngBitBlt + 3A BF82BEE7 56 Bytes CALL BF831413 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngBitBlt + 73 BF82BF20 31 Bytes [ 23, F0, 8B, 45, 10, 8D, 50, ... ]
.text win32k.sys!EngBitBlt + 93 BF82BF40 85 Bytes [ FF, 8B, 47, 1C, 3B, C2, 74, ... ]
.text win32k.sys!EngBitBlt + E9 BF82BF96 35 Bytes [ 6A, 00, 51, FF, 75, 14, FF, ... ]
.text win32k.sys!EngBitBlt + 10D BF82BFBA 19 Bytes [ F7, D8, 6A, 00, 1B, C0, 50, ... ]
.text win32k.sys!EngPaint BF82CD44 15 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text win32k.sys!EngPaint + 10 BF82CD54 28 Bytes [ FE, C0, 80, 7D, 0C, 01, 74, ... ]
.text win32k.sys!EngPaint + 2D BF82CD71 40 Bytes [ 55, 8B, EC, 8B, 45, 08, 8B, ... ]
.text win32k.sys!EngPaint + 56 BF82CD9A 84 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text win32k.sys!EngPaint + AB BF82CDEF 8 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!EngUnlockSurface + 68 BF833CDD 40 Bytes [ 4E, 04, 6A, 00, B2, 05, E8, ... ]
.text win32k.sys!EngLockSurface BF833D07 3 Bytes [ 90, 90, 90 ]
.text win32k.sys!EngLockSurface + 4 BF833D0B 7 Bytes [ FF, 56, 8B, F1, 81, E6, FF ]
.text win32k.sys!EngLockSurface + C BF833D13 35 Bytes [ 00, 00, 33, C0, 3B, 35, 6C, ... ]
.text win32k.sys!EngLockSurface + 30 BF833D37 34 Bytes [ 06, 5E, C2, 04, 00, 90, 90, ... ]
.text win32k.sys!EngLockSurface + 53 BF833D5A 7 Bytes [ EB, F8, 90, 90, 90, 90, 90 ]
.text win32k.sys!EngCopyBits + 2 BF836B07 61 Bytes JMP BF836D36 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCopyBits + 40 BF836B45 26 Bytes [ FF, FF, 50, FF, 15, 60, C8, ... ]
.text win32k.sys!EngCopyBits + 5B BF836B60 11 Bytes [ FF, 55, 8B, EC, 81, EC, FC, ... ]
.text win32k.sys!EngCopyBits + 67 BF836B6C 23 Bytes [ 5D, 0C, 8B, C3, F7, D8, 1B, ... ]
.text win32k.sys!EngCopyBits + 7F BF836B84 3 Bytes [ 85, 0E, 03 ]
.text win32k.sys!EngMapFontFileFD + 32 BF837100 210 Bytes [ F1, 8B, 08, F6, 41, 21, 20, ... ]
.text win32k.sys!EngMapFontFileFD + 105 BF8371D3 57 Bytes [ EC, 83, EC, 34, 53, 56, 57, ... ]
.text win32k.sys!EngMapFontFileFD + 140 BF83720E 2 Bytes [ 68, 5F ]
.text win32k.sys!EngMapFontFileFD + 144 BF837212 84 Bytes CALL BF8047FD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMapFontFileFD + 199 BF837267 52 Bytes [ 35, 34, 8B, 9A, BF, FF, 15, ... ]
.text win32k.sys!EngUnmapFontFileFD + B5 BF83739E 54 Bytes [ 00, 8B, 40, 4C, 49, 83, E1, ... ]
.text win32k.sys!EngUnmapFontFileFD + ED BF8373D6 9 Bytes [ 8B, 4D, 0C, 85, C9, 0F, 84, ... ]
.text win32k.sys!EngUnmapFontFileFD + F7 BF8373E0 22 Bytes [ 00, 8B, 45, 10, 8B, 16, 8B, ... ]
.text win32k.sys!EngUnmapFontFileFD + 116 BF8373FF 2 Bytes CALL 4A837406
.text win32k.sys!EngUnmapFontFileFD + 11A BF837403 5 Bytes [ 8B, D8, 89, 5D, FC ]
.text win32k.sys!EngCreateBitmap + 12 BF8380C2 47 Bytes [ 74, 0B, F7, D9, 03, CB, 41, ... ]
.text win32k.sys!EngCreateBitmap + 42 BF8380F2 19 Bytes [ FF, FF, 8B, 5D, 08, 70, 05, ... ]
.text win32k.sys!EngCreateBitmap + 58 BF838108 91 Bytes [ 90, 90, 8B, FF, 55, 8B, EC, ... ]
.text win32k.sys!EngCreateBitmap + B4 BF838164 81 Bytes [ 55, 8B, EC, 56, 8B, 75, 14, ... ]
.text win32k.sys!EngCreateBitmap + 109 BF8381B9 43 Bytes CALL BF837FEA \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bEnum + E BF84BA59 259 Bytes [ DB, 8A, F8, 0F, B6, FC, D1, ... ]
.text win32k.sys!PATHOBJ_bEnum + 114 BF84BB5F 56 Bytes [ 51, 8D, 96, 10, 01, 00, 00, ... ]
.text win32k.sys!PATHOBJ_bEnum + 14D BF84BB98 8 Bytes [ E5, 5D, C3, 90, 90, 90, 90, ... ]
.text win32k.sys!PATHOBJ_bEnum + 156 BF84BBA1 2 Bytes [ FF, 55 ]
.text win32k.sys!PATHOBJ_bEnum + 159 BF84BBA4 1 Byte [ EC ]
.text win32k.sys!EngComputeGlyphSet + 55 BF84FA62 27 Bytes JMP BF84F7EC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngComputeGlyphSet + 71 BF84FA7E 61 Bytes [ 11, 39, 58, 0C, 0F, 8D, E6, ... ]
.text win32k.sys!EngMultiByteToWideChar + 2C BF84FABC 11 Bytes [ 33, C9, 39, 0E, 74, 2C, 89, ... ]
.text win32k.sys!EngMultiByteToWideChar + 38 BF84FAC8 69 Bytes [ 4D, FC, 03, C1, 89, 4B, 04, ... ]
.text win32k.sys!EngMultiByteToWideChar + 7E BF84FB0E 48 Bytes [ 08, 75, 0A, C7, 00, D4, F6, ... ]
.text win32k.sys!EngMultiByteToWideChar + AF BF84FB3F 22 Bytes [ 33, F6, 83, 7D, 14, 01, 74, ... ]
.text win32k.sys!EngMultiByteToWideChar + C6 BF84FB56 15 Bytes [ 7D, EC, 00, 74, 52, 6A, 08, ... ]
.text win32k.sys!EngDeviceIoControl + 22 BF85A3FB 34 Bytes [ 8B, 95, 74, FF, FF, FF, 8B, ... ]
.text win32k.sys!EngDeviceIoControl + 46 BF85A41F 154 Bytes [ C1, E1, 0A, C1, E0, 0A, 89, ... ]
.text win32k.sys!EngDeviceIoControl + E1 BF85A4BA 25 Bytes [ 4B, 5E, F6, 80, D8, 03, 00, ... ]
.text win32k.sys!EngDeviceIoControl + FB BF85A4D4 30 Bytes [ 66, 8B, 4E, 02, 66, 8B, 56, ... ]
.text win32k.sys!EngDeviceIoControl + 11A BF85A4F3 190 Bytes [ 00, 00, 85, C9, 75, 70, 66, ... ]
.text win32k.sys!EngWaitForSingleObject + 17 BF85A84D 176 Bytes [ 8B, 8B, CC, 02, 00, 00, E8, ... ]
.text win32k.sys!EngUnicodeToMultiByteN + 8F BF85A8FE 23 By
  • 0

#15
mbha

mbha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Continued GMER scan...........
---------------------------------
.text win32k.sys!EngUnicodeToMultiByteN + A7 BF85A916 26 Bytes [ 45, F0, 8B, 55, F4, 8D, 4C, ... ]
.text win32k.sys!EngUnicodeToMultiByteN + C2 BF85A931 27 Bytes [ EB, 04, 48, C6, 45, 13, 00, ... ]
.text win32k.sys!EngUnicodeToMultiByteN + DE BF85A94D 5 Bytes [ 45, CC, 8D, 44, 17 ]
.text win32k.sys!EngUnicodeToMultiByteN + E4 BF85A953 2 Bytes [ D1, F8 ]
.text win32k.sys!EngAllocMem + 1 BF85B876 2 Bytes [ 1E, 57 ]
.text win32k.sys!EngAllocMem + 4 BF85B879 18 Bytes [ F9, 8B, C8, 2B, CB, C1, F9, ... ]
.text win32k.sys!EngAllocMem + 17 BF85B88C 5 Bytes [ FF, 83, E8, 04, A3 ]
.text win32k.sys!EngAllocMem + 1D BF85B892 48 Bytes [ 8A, 9A, BF, 8B, 00, 8B, C8, ... ]
.text win32k.sys!EngAllocMem + 4E BF85B8C3 4 Bytes [ 00, 5B, C3, 90 ]
.text win32k.sys!EngFreeMem + 3E BF85B90A 145 Bytes [ 9A, BF, 5F, C7, 05, 14, 8B, ... ]
.text win32k.sys!EngFreeMem + D0 BF85B99C 84 Bytes [ 8E, 60, 01, 00, 00, 2B, CA, ... ]
.text win32k.sys!EngFreeMem + 125 BF85B9F1 2 Bytes [ 72, 16 ]
.text win32k.sys!EngFreeMem + 128 BF85B9F4 170 Bytes [ 71, F8, 8D, 51, FC, 8B, 0A, ... ]
.text win32k.sys!EngFreeMem + 1D3 BF85BA9F 129 Bytes [ 7E, D8, A1, 18, 8B, 9A, BF, ... ]
.text win32k.sys!FONTOBJ_pxoGetXform + 1 BF86A902 2 Bytes [ 40, 04 ]
.text win32k.sys!FONTOBJ_pxoGetXform + 4 BF86A905 88 Bytes [ 40, 08, 8B, 4B, 28, 8B, 40, ... ]
.text win32k.sys!FONTOBJ_pxoGetXform + 5D BF86A95E 181 Bytes [ F0, 85, F6, 74, 32, 8B, 43, ... ]
.text win32k.sys!FONTOBJ_pxoGetXform + 113 BF86AA14 12 Bytes JMP BF86ACF9 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_pxoGetXform + 121 BF86AA22 12 Bytes JMP BF86AC59 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!STROBJ_vEnumStart + 1 BF86FC39 37 Bytes [ 77, 04, 85, F6, 0F, 84, C5, ... ]
.text win32k.sys!STROBJ_vEnumStart + 27 BF86FC5F 47 Bytes [ 0F, B7, CB, C1, E0, 10, 0B, ... ]
.text win32k.sys!STROBJ_vEnumStart + 57 BF86FC8F 25 Bytes [ 75, 0D, 0F, B7, 47, 08, 50, ... ]
.text win32k.sys!STROBJ_vEnumStart + 71 BF86FCA9 99 Bytes [ 30, F1, 00, 00, 74, 1D, EB, ... ]
.text win32k.sys!STROBJ_vEnumStart + D5 BF86FD0D 148 Bytes [ FF, 83, FE, 1B, 74, C7, 83, ... ]
.text win32k.sys!EngTextOut + 5D BF8703CC 16 Bytes [ FF, A1, EC, B6, 9A, BF, 85, ... ]
.text win32k.sys!EngTextOut + 6E BF8703DD 13 Bytes [ 35, E0, B6, 9A, BF, E8, 89, ... ]
.text win32k.sys!EngTextOut + 7D BF8703EC 74 Bytes [ 3B, 45, EC, 74, E5, E9, 9B, ... ]
.text win32k.sys!EngTextOut + C8 BF870437 24 Bytes [ 89, 3D, CC, B2, 9A, BF, E9, ... ]
.text win32k.sys!EngTextOut + E1 BF870450 2 Bytes [ FE, FF ]
.text win32k.sys!XLATEOBJ_iXlate + 7 BF87174C 37 Bytes [ 48, 0C, 8B, 89, 08, 02, 00, ... ]
.text win32k.sys!XLATEOBJ_iXlate + 2D BF871772 20 Bytes CALL BF86E1E0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XLATEOBJ_iXlate + 42 BF871787 14 Bytes CALL BF86E7E6 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XLATEOBJ_iXlate + 52 BF871797 1 Byte [ 08 ]
.text win32k.sys!XLATEOBJ_iXlate + 54 BF871799 91 Bytes CALL BF86EA99 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStretchBltROP + 36 BF87407D 80 Bytes [ 8B, 48, 34, 89, 4D, F0, 8B, ... ]
.text win32k.sys!EngStretchBltROP + 87 BF8740CE 97 Bytes [ 24, 0F, 84, 8E, 01, 00, 00, ... ]
.text win32k.sys!EngStretchBltROP + E9 BF874130 26 Bytes [ 89, 45, 10, 83, 7D, 0C, 02, ... ]
.text win32k.sys!EngStretchBltROP + 104 BF87414B 111 Bytes [ 0D, 30, 57, 9A, BF, 89, 4D, ... ]
.text win32k.sys!EngStretchBltROP + 174 BF8741BB 125 Bytes CALL BF873AD6 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStretchBlt + 2 BF8751E3 1 Byte [ FF ]
.text win32k.sys!EngStretchBlt + 4 BF8751E5 184 Bytes [ 40, 1C, 89, 41, 1C, 8B, 41, ... ]
.text win32k.sys!EngStretchBlt + BE BF87529F 47 Bytes [ 85, C0, 75, 0E, 8B, 4E, 60, ... ]
.text win32k.sys!EngStretchBlt + EE BF8752CF 5 Bytes CALL BF805A0B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStretchBlt + F4 BF8752D5 167 Bytes [ C0, A0, FC, F7, 99, BF, 8D, ... ]
.text win32k.sys!EngCreatePalette + 30 BF8794AA 144 Bytes [ 00, 8B, 45, A8, 3B, 45, B0, ... ]
.text win32k.sys!EngCreatePalette + C1 BF87953B 21 Bytes [ FC, A1, 78, B0, 9A, BF, FF, ... ]
.text win32k.sys!EngCreatePalette + D7 BF879551 37 Bytes [ 8D, 45, A8, 50, FF, 75, 20, ... ]
.text win32k.sys!EngCreatePalette + FD BF879577 61 Bytes [ 0F, 84, A6, FC, FF, FF, 8D, ... ]
.text win32k.sys!EngCreatePalette + 13B BF8795B5 42 Bytes JMP BF8793D0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateSemaphore + A BF87FB43 2 Bytes [ 8D, 55 ]
.text win32k.sys!EngCreateSemaphore + D BF87FB46 132 Bytes [ 89, 51, 28, 89, 45, 94, 0F, ... ]
.text win32k.sys!EngCreateSemaphore + 93 BF87FBCC 77 Bytes [ F6, 43, 19, 02, 0F, 84, 92, ... ]
.text win32k.sys!EngCreateSemaphore + E1 BF87FC1A 32 Bytes [ 39, 7D, E0, 0F, 85, AD, 02, ... ]
.text win32k.sys!EngCreateSemaphore + 102 BF87FC3B 104 Bytes [ C4, 0F, 85, 97, FC, FF, FF, ... ]
.text win32k.sys!EngEraseSurface + 2B BF8830E9 25 Bytes [ 00, 8B, 45, E4, 89, 06, 8B, ... ]
.text win32k.sys!EngEraseSurface + 45 BF883103 228 Bytes [ FF, C2, 10, 00, 89, 39, EB, ... ]
.text win32k.sys!EngEraseSurface + 12A BF8831E8 7 Bytes [ 30, 5F, C9, C2, 08, 00, 56 ]
.text win32k.sys!EngEraseSurface + 132 BF8831F0 12 Bytes CALL BF888FC4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngEraseSurface + 13F BF8831FD 51 Bytes [ 75, 0C, FF, 76, 04, FF, 36, ... ]
.text win32k.sys!EngCreateDeviceSurface + 6 BF888D5D 25 Bytes [ F7, 8B, 45, 18, 0F, B6, 04, ... ]
.text win32k.sys!EngCreateDeviceSurface + 20 BF888D77 19 Bytes [ 8B, F8, 3B, FB, 74, 26, 56, ... ]
.text win32k.sys!EngCreateDeviceSurface + 34 BF888D8B 91 Bytes CALL BF80645B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateDeviceSurface + 90 BF888DE7 18 Bytes [ 85, D1, 00, 00, 00, 53, 68, ... ]
.text win32k.sys!EngCreateDeviceSurface + A3 BF888DFA 52 Bytes [ F8, 3B, FB, 0F, 84, F9, 00, ... ]
.text win32k.sys!EngGetCurrentCodePage + CD BF88CBF5 53 Bytes CALL BF82126D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetCurrentCodePage + 103 BF88CC2B 56 Bytes JMP BF88CCE5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetCurrentCodePage + 13C BF88CC64 22 Bytes [ 00, 00, F8, 23, F0, 89, 7D, ... ]
.text win32k.sys!EngGetCurrentCodePage + 153 BF88CC7B 18 Bytes [ 8B, 23, F8, 75, 9A, 6A, 01, ... ]
.text win32k.sys!EngGetCurrentCodePage + 166 BF88CC8E 11 Bytes [ 39, 5D, 90, 75, 65, FF, 75, ... ]
.text win32k.sys!EngFntCacheLookUp + E BF89A51D 160 Bytes [ 46, 28, 89, 7D, F8, FF, 47, ... ]
.text win32k.sys!EngFntCacheLookUp + B0 BF89A5BF 96 Bytes CALL BF8B7891 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheLookUp + 111 BF89A620 221 Bytes [ 53, 56, 57, 6A, 01, FF, 35, ... ]
.text win32k.sys!EngFntCacheLookUp + 1EF BF89A6FE 37 Bytes CALL BF80D04D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheLookUp + 216 BF89A725 83 Bytes [ 00, 74, 07, 3D, 0F, 03, 00, ... ]
.text win32k.sys!EngFntCacheAlloc + 65 BF89AA3B 2 Bytes [ 45, 0C ]
.text win32k.sys!EngFntCacheAlloc + 68 BF89AA3E 18 Bytes [ 4D, F4, FF, 53, 56, 8B, 75, ... ]
.text win32k.sys!EngFntCacheAlloc + 7B BF89AA51 30 Bytes [ 3E, 33, C9, 39, 08, 8D, 50, ... ]
.text win32k.sys!EngFntCacheAlloc + 9A BF89AA70 66 Bytes [ FF, 85, C0, 74, 2C, 8B, 4D, ... ]
.text win32k.sys!EngFntCacheAlloc + DD BF89AAB3 36 Bytes [ 45, F4, EB, E3, 90, 90, 90, ... ]
.text win32k.sys!EngWideCharToMultiByte + B BF89C079 20 Bytes [ 15, 00, C8, 98, BF, 5F, 5E, ... ]
.text win32k.sys!EngWideCharToMultiByte + 20 BF89C08E 92 Bytes JMP 805BE874 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text win32k.sys!EngWideCharToMultiByte + 7D BF89C0EB 61 Bytes [ 00, 00, 8B, 46, 3C, 85, C0, ... ]
.text win32k.sys!EngWideCharToMultiByte + BB BF89C129 11 Bytes [ 00, 00, 00, 85, C0, 74, 07, ... ]
.text win32k.sys!EngWideCharToMultiByte + C7 BF89C135 82 Bytes CALL BF8011C9 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMultiByteToUnicodeN + 24 BF89E07E 16 Bytes JMP 470DEF95
.text win32k.sys!EngMultiByteToUnicodeN + 36 BF89E090 69 Bytes [ 00, 49, 49, 0F, 84, ED, 00, ... ]
.text win32k.sys!EngMultiByteToUnicodeN + 7D BF89E0D7 95 Bytes JMP BF89E055 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMultiByteToUnicodeN + DE BF89E138 93 Bytes JMP BF89E054 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMultiByteToUnicodeN + 13C BF89E196 72 Bytes [ 81, F9, 00, 00, 00, 80, 0F, ... ]
.text win32k.sys!EngFindImageProcAddress + 15 BF8A1CBE 25 Bytes [ 03, 8B, 4B, 08, 56, 2B, C8, ... ]
.text win32k.sys!EngFindImageProcAddress + 2F BF8A1CD8 31 Bytes [ 8B, C1, 2B, 45, 0C, FF, 35, ... ]
.text win32k.sys!EngFindImageProcAddress + 4F BF8A1CF8 11 Bytes [ C7, 2B, 45, 0C, 99, 2B, C2, ... ]
.text win32k.sys!EngFindImageProcAddress + 5B BF8A1D04 65 Bytes [ 7B, 04, 8B, 5D, 08, 53, E8, ... ]
.text win32k.sys!EngFindImageProcAddress + 9D BF8A1D46 75 Bytes [ 0C, 50, 57, 56, 53, E8, E8, ... ]
.text win32k.sys!EngLoadImage + 6 BF8A1E25 60 Bytes [ 81, E0, 07, 00, 00, F6, C6, ... ]
.text win32k.sys!EngLoadImage + 43 BF8A1E62 132 Bytes [ 56, 04, 2B, FA, 3B, C7, 89, ... ]
.text win32k.sys!EngLoadImage + C8 BF8A1EE7 54 Bytes [ 45, 08, 83, 7D, 08, 05, 7C, ... ]
.text win32k.sys!EngLoadImage + 100 BF8A1F1F 22 Bytes [ 00, FF, 75, 0C, 53, E8, 66, ... ]
.text win32k.sys!EngLoadImage + 119 BF8A1F38 17 Bytes [ 8B, FF, 55, 8B, EC, 56, 8B, ... ]
.text win32k.sys!EngQueryPerformanceFrequency + 53 BF8A3D2B 15 Bytes [ A1, F8, A2, 9A, BF, 8B, 0D, ... ]
.text win32k.sys!EngQueryPerformanceFrequency + 63 BF8A3D3B 60 Bytes [ 00, A1, F8, A2, 9A, BF, 8B, ... ]
.text win32k.sys!EngQueryPerformanceFrequency + A0 BF8A3D78 12 Bytes [ 50, F6, FF, FF, 50, E8, 73, ... ]
.text win32k.sys!EngQueryPerformanceFrequency + AD BF8A3D85 68 Bytes [ 19, 8D, 85, 1C, FE, FF, FF, ... ]
.text win32k.sys!EngQueryPerformanceFrequency + F3 BF8A3DCB 21 Bytes CALL BF8385E3 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateEvent + 2A BF8A5DAA 10 Bytes [ 45, E4, 0F, 82, 08, FF, FF, ... ]
.text win32k.sys!EngCreateEvent + 35 BF8A5DB5 7 Bytes [ 7A, 18, 40, 5F, 5E, 5B, C9 ]
.text win32k.sys!EngCreateEvent + 3D BF8A5DBD 1 Byte [ 08 ]
.text win32k.sys!EngCreateEvent + 3F BF8A5DBF 28 Bytes [ F6, 41, 20, 08, 0F, 84, 1E, ... ]
.text win32k.sys!EngQuerySystemAttribute + 18 BF8A5DDC 10 Bytes [ 00, 00, 90, 90, 90, 90, 90, ... ]
.text win32k.sys!EngQuerySystemAttribute + 23 BF8A5DE7 18 Bytes [ EC, 83, 7D, 08, 24, 1B, C0, ... ]
.text win32k.sys!EngQuerySystemAttribute + 36 BF8A5DFA 38 Bytes [ 33, F6, EB, 24, 90, 90, 90, ... ]
.text win32k.sys!EngQuerySystemAttribute + 5D BF8A5E21 27 Bytes CALL BF800BA5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQuerySystemAttribute + 79 BF8A5E3D 27 Bytes [ 3B, 05, 0C, A3, 9A, BF, 75, ... ]
.text win32k.sys!EngFindResource + C7 BF8A80A7 30 Bytes [ 88, 03, 00, 00, 85, C0, 0F, ... ]
.text win32k.sys!EngFindResource + E6 BF8A80C6 2 Bytes [ 80, 7D ]
.text win32k.sys!EngFindResource + E9 BF8A80C9 29 Bytes [ 00, 0F, 85, 94, 02, 00, 00, ... ]
.text win32k.sys!EngFindResource + 108 BF8A80E8 77 Bytes [ 66, A3, 94, A5, 99, BF, E9, ... ]
.text win32k.sys!EngFindResource + 156 BF8A8136 7 Bytes CALL BF88E2A0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLoadModule + 1B BF8A898A 21 Bytes [ F8, 89, 45, 0C, 76, 16, 6A, ... ]
.text win32k.sys!EngLoadModule + 31 BF8A89A0 203 Bytes [ 3B, F5, FF, FF, 33, FF, 39, ... ]
.text win32k.sys!EngLoadModule + FE BF8A8A6D 58 Bytes [ 0F, B7, 43, 0C, 03, C1, 89, ... ]
.text win32k.sys!EngLoadModule + 139 BF8A8AA8 3 Bytes [ C7, 74, 1B ]
.text win32k.sys!EngLoadModule + 13D BF8A8AAC 43 Bytes [ 43, 10, 80, 38, 00, 74, 13, ... ]
.text win32k.sys!EngFreeModule + C BF8A8AF9 16 Bytes [ 09, 0F, B7, 43, 24, 03, C1, ... ]
.text win32k.sys!EngFreeModule + 1D BF8A8B0A 19 Bytes [ 75, FC, 6A, FF, FF, 15, B8, ... ]
.text win32k.sys!EngFreeModule + 31 BF8A8B1E 30 Bytes [ C3, 5F, 5B, C9, C2, 10, 00, ... ]
.text win32k.sys!EngFreeModule + 50 BF8A8B3D 15 Bytes [ 08, 39, 78, 10, 74, 09, 0F, ... ]
.text win32k.sys!EngFreeModule + 60 BF8A8B4D 51 Bytes [ 4D, 08, 89, 41, 18, EB, B4, ... ]
.text win32k.sys!EngGetLastError + 2 BF8AC88D 51 Bytes [ 39, 41, 08, 75, 0E, 8B, 41, ... ]
.text win32k.sys!EngGetLastError + 36 BF8AC8C1 5 Bytes [ 00, E9, DA, F6, FF ]
.text win32k.sys!EngGetLastError + 3C BF8AC8C7 100 Bytes CALL BF8AC8D9 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetLastError + A1 BF8AC92C 97 Bytes CALL BF82704D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetLastError + 103 BF8AC98E 171 Bytes [ F8, 33, D2, F3, A7, 74, 26, ... ]
.text win32k.sys!EngGradientFill + 38 BF8AED86 32 Bytes [ FF, FF, FF, 00, 74, 0B, E9, ... ]
.text win32k.sys!EngGradientFill + 59 BF8AEDA7 17 Bytes [ 33, F6, 33, DB, 39, 72, 0C, ... ]
.text win32k.sys!EngGradientFill + 6B BF8AEDB9 24 Bytes [ 8B, 07, 8B, 88, 74, 05, 00, ... ]
.text win32k.sys!EngGradientFill + 84 BF8AEDD2 55 Bytes [ 00, 75, 02, 8B, DE, 8B, 41, ... ]
.text win32k.sys!EngGradientFill + BC BF8AEE0A 5 Bytes [ 89, 85, 0C, FF, FF ]
.text win32k.sys!EngModifySurface + 17 BF8B95BF 25 Bytes [ 6A, 00, 68, 55, 73, 73, 61, ... ]
.text win32k.sys!EngModifySurface + 31 BF8B95D9 101 Bytes [ 09, 89, 4F, 0C, 8B, 4D, 0C, ... ]
.text win32k.sys!EngModifySurface + 97 BF8B963F 26 Bytes [ FF, 8B, 45, 08, 85, C0, 0F, ... ]
.text win32k.sys!EngModifySurface + B2 BF8B965A 49 Bytes [ 5D, CC, 85, DB, 0F, 84, 30, ... ]
.text win32k.sys!EngModifySurface + E4 BF8B968C 9 Bytes [ 8B, F0, 33, C9, 3B, F1, 0F, ... ]
.text win32k.sys!EngAlphaBlend + 7A BF8BA11B 20 Bytes CALL BF819AEB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAlphaBlend + 8F BF8BA130 86 Bytes [ 75, 0C, FF, 75, 08, E8, 16, ... ]
.text win32k.sys!EngAlphaBlend + E6 BF8BA187 11 Bytes JMP BF8BA3BC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAlphaBlend + F2 BF8BA193 85 Bytes CALL BF80E8CC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAlphaBlend + 149 BF8BA1EA 12 Bytes JMP BF8BA3BC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vEnumStart + 3B BF8C69E9 35 Bytes CALL BF8E499A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vEnumStart + 5F BF8C6A0D 34 Bytes [ 75, 20, 8B, 0F, FF, 75, 1C, ... ]
.text win32k.sys!PATHOBJ_vEnumStart + 82 BF8C6A30 14 Bytes [ 33, C0, 40, EB, BC, F6, 45, ... ]
.text win32k.sys!PATHOBJ_vEnumStart + 91 BF8C6A3F 39 Bytes CALL BF84DD02 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vEnumStart + B9 BF8C6A67 39 Bytes [ C3, 90, 90, 90, 90, 90, 8B, ... ]
.text win32k.sys!EngStrokePath + 32 BF8C87FD 49 Bytes [ 8B, 75, 14, F7, DE, E9, 51, ... ]
.text win32k.sys!EngStrokePath + 64 BF8C882F 11 Bytes [ 46, FF, 45, 08, EB, E9, 33, ... ]
.text win32k.sys!EngStrokePath + 70 BF8C883B 14 Bytes [ 0F, 84, 3A, FF, FF, FF, 33, ... ]
.text win32k.sys!EngStrokePath + 7F BF8C884A 49 Bytes [ F6, 45, D8, 04, 89, 75, F4, ... ]
.text win32k.sys!EngStrokePath + B1 BF8C887C 55 Bytes [ 09, 45, 18, 8B, 45, 18, C1, ... ]
.text win32k.sys!EngSort + 22 BF8D2DBE 87 Bytes [ 75, 18, 2B, DE, 0F, AF, 75, ... ]
.text win32k.sys!EngSort + 7A BF8D2E16 111 Bytes [ 55, 20, 89, 55, FC, 83, 7D, ... ]
.text win32k.sys!EngSort + EA BF8D2E86 17 Bytes [ 13, 03, C1, 33, D2, F7, F7, ... ]
.text win32k.sys!EngSort + FC BF8D2E98 8 Bytes [ 45, 0C, 04, FF, 4D, FC, 66, ... ]
.text win32k.sys!EngSort + 105 BF8D2EA1 42 Bytes [ 53, 75, CD, 8B, 5D, F0, FF, ... ]
.text win32k.sys!EngLineTo + 4 BF8D4858 79 Bytes [ 3D, CC, 8A, 9A, BF, 66, 89, ... ]
.text win32k.sys!EngLineTo + 54 BF8D48A8 44 Bytes CALL BF853F3D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLineTo + 81 BF8D48D5 3 Bytes [ 64, F6, F7 ]
.text win32k.sys!EngLineTo + 85 BF8D48D9 107 Bytes [ 83, C4, 30, 03, F0, 81, FE, ... ]
.text win32k.sys!EngLineTo + F1 BF8D4945 41 Bytes CALL BF8EBDE1 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteSemaphore + B BF8DFAF0 32 Bytes [ 55, 8B, EC, 83, EC, 1C, 8D, ... ]
.text win32k.sys!EngDeleteSemaphore + 2C BF8DFB11 1 Byte [ 00 ]
.text win32k.sys!EngDeleteSemaphore + 2E BF8DFB13 1 Byte [ 8B ]
.text win32k.sys!EngDeleteSemaphore + 30 BF8DFB15 4 Bytes [ 89, 45, F4, 8B ]
.text win32k.sys!EngDeleteSemaphore + 35 BF8DFB1A 85 Bytes [ 08, 89, 45, F8, FF, 15, D4, ... ]
.text win32k.sys!EngFillPath + 7 BF8E4874 66 Bytes [ 3B, DF, 74, 09, 8D, 4B, 08, ... ]
.text win32k.sys!EngFillPath + 4A BF8E48B7 34 Bytes [ 85, F6, 74, 34, A1, B8, A6, ... ]
.text win32k.sys!EngFillPath + 6D BF8E48DA 19 Bytes CALL BF8011CB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFillPath + 81 BF8E48EE 77 Bytes [ FF, 5E, 66, 85, DB, EB, 25, ... ]
.text win32k.sys!EngFillPath + CF BF8E493C 23 Bytes JMP BF8E4A99 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vGetBounds + D1 BF8E676E 62 Bytes [ 33, D2, 39, 50, 30, 75, 09, ... ]
.text win32k.sys!PATHOBJ_vGetBounds + 110 BF8E67AD 88 Bytes [ FF, 85, C0, 74, 04, 83, 4E, ... ]
.text win32k.sys!PATHOBJ_vGetBounds + 169 BF8E6806 90 Bytes [ EC, FF, 75, 08, 8D, 4D, 08, ... ]
.text win32k.sys!PATHOBJ_vGetBounds + 1C4 BF8E6861 58 Bytes [ 1C, 50, 03, DA, 8B, 56, 14, ... ]
.text win32k.sys!PATHOBJ_vGetBounds + 1FF BF8E689C 87 Bytes CALL 4790C42B
.text win32k.sys!PATHOBJ_bMoveTo + 4 BF8EBC95 57 Bytes [ 06, 83, B8, 04, 02, 00, 00, ... ]
.text win32k.sys!PATHOBJ_bPolyLineTo + 22 BF8EBCCF 51 Bytes CALL BF8EBCF1 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bPolyLineTo + 56 BF8EBD03 26 Bytes [ 74, DB, FF, 75, 0C, FF, 75, ... ]
.text win32k.sys!PATHOBJ_bPolyLineTo + 71 BF8EBD1E 70 Bytes JMP BF8EC2CD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bPolyLineTo + B8 BF8EBD65 2 Bytes [ FF, 55 ]
.text win32k.sys!PATHOBJ_bPolyLineTo + BB BF8EBD68 81 Bytes [ EC, 8B, 4D, 0C, 2B, 4D, 14, ... ]
.text win32k.sys!PATHOBJ_bCloseFigure + 27 BF8EC135 53 Bytes [ 85, C0, 0F, 84, BF, 04, 00, ... ]
.text win32k.sys!PATHOBJ_bCloseFigure + 5D BF8EC16B 18 Bytes [ 55, 8B, EC, 81, EC, B4, 00, ... ]
.text win32k.sys!PATHOBJ_bCloseFigure + 70 BF8EC17E 7 Bytes [ FF, 8B, 45, 18, 83, 65, F8 ]
.text win32k.sys!PATHOBJ_bCloseFigure + 78 BF8EC186 25 Bytes [ 85, C0, 0F, 85, 03, FC, FF, ... ]
.text win32k.sys!PATHOBJ_bCloseFigure + 92 BF8EC1A0 44 Bytes [ F0, 0F, 83, 13, FC, FF, FF, ... ]
.text win32k.sys!EngDeletePalette + 16 BF8F9DF7 51 Bytes [ 00, C3, 90, 90, 90, 90, 90, ... ]
.text win32k.sys!EngDeletePalette + 4A BF8F9E2B 62 Bytes [ 59, 59, 85, C0, 0F, 85, B2, ... ]
.text win32k.sys!EngDeletePalette + 89 BF8F9E6A 25 Bytes [ 90, 90, 90, 90, 6A, 44, 68, ... ]
.text win32k.sys!EngDeletePalette + A3 BF8F9E84 22 Bytes CALL BF800B76 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeletePalette + BA BF8F9E9B 102 Bytes [ C6, 6A, 06, 59, 8B, F0, 8D, ... ]
.text win32k.sys!FONTOBJ_pifi + 1 BF8FAC19 39 Bytes CALL BF800C62 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_pifi + 29 BF8FAC41 1 Byte [ 00 ]
.text win32k.sys!FONTOBJ_pifi + 2B BF8FAC43 73 Bytes [ C3, 03, 74, 06, FF, 15, 0C, ... ]
.text win32k.sys!FONTOBJ_pifi + 75 BF8FAC8D 10 Bytes [ 75, 10, 83, FE, 04, 0F, 87, ... ]
.text win32k.sys!FONTOBJ_pifi + 80 BF8FAC98 22 Bytes [ 8D, 45, BC, 89, 45, E4, 89, ... ]
.text win32k.sys!HT_Get8BPPMaskPalette + 16 BF8FC50D 5 Bytes [ B1, 0C, 04, 00, 00 ]
.text win32k.sys!HT_Get8BPPMaskPalette + 1C BF8FC513 12 Bytes [ C4, 90, F0, FF, 8D, 4D, F4, ... ]
.text win32k.sys!HT_Get8BPPMaskPalette + 29 BF8FC520 6 Bytes [ F0, 8B, 45, 08, 85, C0 ]
.text win32k.sys!HT_Get8BPPMaskPalette + 30 BF8FC527 95 Bytes [ 09, 8D, 48, 08, FF, 15, B0, ... ]
.text win32k.sys!HT_Get8BPPMaskPalette + 90 BF8FC587 4 Bytes JMP BF8FC6C1 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!HT_Get8BPPFormatPalette + 32 BF8FC8E8 13 Bytes [ 00, 89, 7D, F4, 89, 7D, F8, ... ]
.text win32k.sys!HT_Get8BPPFormatPalette + 40 BF8FC8F6 144 Bytes [ F0, 3B, F7, 74, A2, 39, BE, ... ]
.text win32k.sys!HT_Get8BPPFormatPalette + D1 BF8FC987 19 Bytes [ 13, 8B, 75, FC, 8D, 4D, F0, ... ]
.text win32k.sys!HT_Get8BPPFormatPalette + E5 BF8FC99B 17 Bytes [ FF, 75, F8, 8B, CE, FF, 75, ... ]
.text win32k.sys!HT_Get8BPPFormatPalette + F7 BF8FC9AD 3 Bytes [ 7C, 9D, 07 ]
.text win32k.sys!STROBJ_bEnumPositionsOnly + 17 BF8FCB6E 127 Bytes [ 5F, 5E, 5B, C9, C2, 14, 00, ... ]
.text win32k.sys!STROBJ_bEnumPositionsOnly + 97 BF8FCBEE 67 Bytes [ 04, B8, 85, C0, 74, 39, 8B, ... ]
.text win32k.sys!XFORMOBJ_bApplyXform + 2C BF8FCC32 15 Bytes [ F4, FE, FF, FF, EB, AD, 8B, ... ]
.text win32k.sys!XFORMOBJ_bApplyXform + 3C BF8FCC42 14 Bytes JMP C1B04CD2
.text win32k.sys!XFORMOBJ_bApplyXform + 4C BF8FCC52 142 Bytes CALL BF8DD23D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_bApplyXform + DB BF8FCCE1 11 Bytes [ 80, 20, 02, 00, 00, 3B, C3, ... ]
.text win32k.sys!XFORMOBJ_bApplyXform + E7 BF8FCCED 13 Bytes CALL BF8DD23C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_vGetInfo + 1C BF8FCE7A 31 Bytes [ 00, 00, 6A, 0C, 8D, 45, D8, ... ]
.text win32k.sys!FONTOBJ_vGetInfo + 3C BF8FCE9A 152 Bytes CALL BF8DD8F7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_vGetInfo + D5 BF8FCF33 117 Bytes [ 12, 00, 00, 85, C0, 74, 41, ... ]
.text win32k.sys!FONTOBJ_vGetInfo + 14B BF8FCFA9 24 Bytes CALL BF80195A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_vGetInfo + 165 BF8FCFC3 65 Bytes [ 00, 8B, 03, 8B, 80, B4, 02, ... ]
.text
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP