Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop replaced with ad wallpaper, unable to change it. [RESOLVED]


  • This topic is locked This topic is locked

#1
Kyossed

Kyossed

    New Member

  • Member
  • Pip
  • 8 posts
Howdy, fellas. Had an interesting night yesterday. While browsing I notice Firefox is creating new tabs with ad pages in them. As soon as I start closing them (Probably just bad timing) a dialog box pops up with a bogus EULA and one button to accept with no backout. This worries the [bleep] out of me, so I check task manager real quick and kill everything I don't recognize, and said dialog blips off. I go to my msconfig and clear out the gibberish that would have launched next time I started, then schedule a scan in Avast! Antivirus for the next time I boot. After this, I restart and go to sleep.

When I wake up Avast! is patiently waiting for me to give it instructions on how to handle the first thing it found, so I tell it to delete all and then I go make some coffee. I get distracted doing morning things, and wandering back to my PC about an hour later Avast! has finished its scan and presumably cleaned out whatever infection was present. Unfortunately, as I enter my password and login to windows there is a big predominant warning box LOOMING over me. Funny thing, though. It's styled as though I were running Vista. Weird. (See first attachment) SpywareScreen1.PNG

I take a look in running processes and I can't see anything out of the ordinary running, so I figure the whatever I had changed my desktop wallpaper. Open up desktop properties to reset it and whahey: Attachment two.SpywareScreen2.PNG

Well, now I'm a bit annoyed. I figure whatever I had must have changed some settings or something and when I gave it the boot it didn't feel like changing them back. Now I don't have a way to set my screensaver or desktop wallpaper. That's basically when I turned to THE INTARWUBS. googled the contents of the desktop fake popup, and eventually was led here. You folks seem like a knowledgeable bunch, so uh.. could you gimme a hand with this?

I tried to get a Hijack This log, but there were several errors as it was running so I'm gonna restart and do it in Safe Mode while the ball gets rolling here.

The scant bit of research I did suggested this was the work of XP-Guard, a "Rogue Anti-Spyware" or whatever the cool kids are calling it these days. As of this post my computer is completely functional except for being unable to change the wallpaper or screensaver.


*EDIT*
Well, I'm not thinking right. turns out that the Hijack This log, when compiled in Safe Mode, is rather lacking. Duh. I'll run it again in regular mode and post it if you want the buggy one. Also noticed as I was logging off that every sound except for windows startup has been replaced with that annoying default -BEEP- that you usually only hear during startup. So, that's fun.


Hijack This log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:11 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download with GetRight - Z:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - Z:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{83A7F6A0-BCA3-4BC2-B68D-E151FB21AE02}: NameServer = 204.127.203.135,216.148.225.135
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 3831 bytes

Edited by Kyossed, 19 August 2008 - 04:39 PM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Kyossed

welcome to geekstogo :)

sorry to keep you waiting.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


andrewuk
  • 0

#3
Kyossed

Kyossed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Combofix and Hijack This logs follow. Hey, those rhyme!

ComboFix Log:

ComboFix 08-08-21.02 - Dan 2008-08-23 17:32:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.354 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\#SharedObjects\GF7VEKJ5\interclick.com
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\#SharedObjects\GF7VEKJ5\interclick.com\ud.sol
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\lphc9ftj0e51g.exe
C:\WINDOWS\system32\phc9ftj0e51g.bmp

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 03:14 . 2007-03-07 18:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-08-23 03:14 . 2007-03-07 18:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-23 03:14 . 2007-03-07 18:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-19 18:48 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-08-19 18:48 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-08-19 18:48 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-08-19 18:48 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-08-19 18:48 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-08-19 18:05 . 2008-08-19 18:05 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\InstallShield
2008-08-19 17:09 . 2008-08-22 01:42 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Hamachi
2008-08-19 17:08 . 2008-08-19 17:09 <DIR> d-------- C:\Program Files\Hamachi
2008-08-19 17:08 . 2008-08-19 17:08 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-19 12:21 . 2008-08-19 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 12:00 . 2008-08-19 12:00 <DIR> d-------- C:\VundoFix Backups
2008-08-19 06:05 . 2008-08-19 06:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-19 04:21 . 2008-08-19 04:21 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-08-17 04:11 . 2008-08-17 04:11 <DIR> d-------- C:\Program Files\Veoh Networks
2008-08-15 15:48 . 2008-08-15 16:12 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\FileZilla
2008-08-15 15:47 . 2008-08-15 15:47 <DIR> d-------- C:\Program Files\FileZilla FTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 22:33 --------- d-----w C:\Documents and Settings\Dan\Application Data\.gaim
2008-08-23 08:15 --------- d-----w C:\Program Files\Winamp
2008-08-22 04:45 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-19 23:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 09:22 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2008-08-14 22:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Xfire
2006-01-08 19:43 349 ----a-w C:\Program Files\INSTALL.LOG
2005-07-11 03:41 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-12-18 17:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 13:46 10,960 ----a-w C:\Program Files\EULA.txt
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2001-08-23 07:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 00:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 00:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2006-01-12 21:01 2057344 c60248dde015b0a73871a16576b7a945 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2001-08-23 07:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 01:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 01:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2006-01-12 21:04 2187904 c3b84871dece94e335b96fafd756316c C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-12 20:13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 19:05 81920]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 09:38 78008]

C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2008-08-19 17:08:15 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Dan\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-05-12 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-01-12 20:13 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2006-01-13 01:46 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 00:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 00:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 00:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-05 15:59 1266936 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-13 18:06 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2004-06-20 20:45 630854 C:\Program Files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
S3 oflpydin;oflpydin;C:\DOCUME~1\Dan\LOCALS~1\Temp\oflpydin.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dfe8d66-5095-11da-8185-004854803bdf}]
\Shell\AutoRun\command - D:\.pspware\PSPWareLauncher.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lphc9ftj0e51g - C:\WINDOWS\system32\lphc9ftj0e51g.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
MSConfigStartUp-PC Alarm Clock - C:\Program Files\PC Alarm Clock\pac.exe
MSConfigStartUp-RealTray - C:\Program Files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WMUAgent - C:\Program Files\WakeMeUp\WMUAgent.exe
MSConfigStartUp-WMUTray - C:\Program Files\WakeMeUp\WMUTray.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\zx2wx1nf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 17:35:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 17:38:42
ComboFix-quarantined-files.txt 2008-08-23 22:38:17

Pre-Run: 3,482,689,536 bytes free
Post-Run: 3,847,335,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

185



Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:10 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download with GetRight - Z:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - Z:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{83A7F6A0-BCA3-4BC2-B68D-E151FB21AE02}: NameServer = 204.127.203.135,216.148.225.135
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 3595 bytes


Hope that helps figure this thing out. Thanks for responding!


  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will remove the malware i can see, and do three scans to see what else slipped onto your machine. we will also update your java.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dfe8d66-5095-11da-8185-004854803bdf}]

Driver::
oflpydin


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



====STEP 2====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 3====
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), please post the contents of this log on the forum.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 4====
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply could i see:
1. combofix log
2. the malwarebytes log
3. kaspersky log
4. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
Kyossed

Kyossed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry for the delay, but I gotta hit the sack soon. I'll finish this stuff up and post the logs tomorrow. Thanks for the help so far, by the way. It's good to know somebody knows what the heck to do to get this machine up to snuff again.

Edited by Kyossed, 23 August 2008 - 08:45 PM.

  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no problem :)

i will await your replies

andrewuk
  • 0

#7
Kyossed

Kyossed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hokay. Ran through steps 1-4 relatively quickly, but step five (Kaspersky) looks like it's gonna take a while. I'll post the first three logs now, and when Kaspersky finishes sometime in the next twelve hours I'll post that one as well.

ComboFix

ComboFix 08-08-21.02 - Dan 2008-08-23 22:30:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.408 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-23 03:14 . 2007-03-07 18:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-08-23 03:14 . 2007-03-07 18:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-23 03:14 . 2007-03-07 18:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-19 18:48 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-08-19 18:48 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-08-19 18:48 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-08-19 18:48 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-08-19 18:48 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-08-19 18:05 . 2008-08-19 18:05 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\InstallShield
2008-08-19 17:09 . 2008-08-23 22:47 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Hamachi
2008-08-19 17:08 . 2008-08-19 17:09 <DIR> d-------- C:\Program Files\Hamachi
2008-08-19 17:08 . 2008-08-19 17:08 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-19 12:21 . 2008-08-19 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 12:00 . 2008-08-19 12:00 <DIR> d-------- C:\VundoFix Backups
2008-08-19 06:05 . 2008-08-19 06:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-19 04:21 . 2008-08-19 04:21 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-08-17 04:11 . 2008-08-17 04:11 <DIR> d-------- C:\Program Files\Veoh Networks
2008-08-15 15:48 . 2008-08-15 16:12 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\FileZilla
2008-08-15 15:47 . 2008-08-15 15:47 <DIR> d-------- C:\Program Files\FileZilla FTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 00:45 --------- d-----w C:\Documents and Settings\Dan\Application Data\.gaim
2008-08-23 08:15 --------- d-----w C:\Program Files\Winamp
2008-08-19 23:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 09:22 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2008-08-14 22:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Xfire
2006-01-08 19:43 349 ----a-w C:\Program Files\INSTALL.LOG
2005-07-11 03:41 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-12-18 17:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 13:46 10,960 ----a-w C:\Program Files\EULA.txt
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2001-08-23 07:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 00:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 00:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2006-01-12 21:01 2057344 c60248dde015b0a73871a16576b7a945 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2001-08-23 07:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 01:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 01:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2006-01-12 21:04 2187904 c3b84871dece94e335b96fafd756316c C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( [email protected]_17.37.52.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-08-24 03:37:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_660.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-12 20:13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 19:05 81920]

C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2008-08-19 17:08:15 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Dan\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-05-12 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-01-12 20:13 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2006-01-13 01:46 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 00:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 00:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 00:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-05 15:59 1266936 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-13 18:06 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2004-06-20 20:45 630854 C:\Program Files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 22:46:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\conime.exe
.
**************************************************************************
.
Completion time: 2008-08-23 22:52:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 03:52:23
ComboFix2.txt 2008-08-23 22:38:43

Pre-Run: 4,518,232,064 bytes free
Post-Run: 4,453,482,496 bytes free

174


Malwarebytes Log


Malwarebytes' Anti-Malware 1.25
Database version: 1082
Windows 5.1.2600 Service Pack 2

2:40:33 PM 8/24/2008
mbam-log-08-24-2008 (14-40-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 201533
Time elapsed: 1 hour(s), 28 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{220D535D-B97F-476D-AE5B-09E75D3583F3}\RP6\A0001169.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.


HijackThis
(Temporary)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:46 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download with GetRight - Z:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - Z:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{83A7F6A0-BCA3-4BC2-B68D-E151FB21AE02}: NameServer = 204.127.203.135,216.148.225.135
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 5583 bytes


I know the current HijackThis log will probably be useless since it won't reflect the Kaspersky changes, but I'll leave it up temporarily until Kaspersky finishes and I can rescan. Again, sorry about the delay. If I had known Kaspersky was going to take an hour and a half to get to eight percent, I probably would have started it before I dozed off. :)



  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

I know the current HijackThis log will probably be useless since it won't reflect the Kaspersky changes, but I'll leave it up temporarily until Kaspersky finishes and I can rescan. Again, sorry about the delay. If I had known Kaspersky was going to take an hour and a half to get to eight percent, I probably would have started it before I dozed off.

the kaspersky wont change anything, it will merely highlight any infections, so no need to post another hijackthis log, just the kaspersky log

andrewuk
  • 0

#9
Kyossed

Kyossed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Well that's good to know. Kaspersky log follows:

Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 20:29:33
Records in database: 1141218
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 155159
Threat name: 8
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 04:11:41


File name / Threat name / Threats count
C:\Dan\Torrents\fakeshutdown.exe Infected: Hoax.Win32.BadJoke.RJL.c 1
C:\Dan\UltraVNC-100-RC18-Setup.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\zx2wx1nf.default\extensions\[email protected]\components\firebit.dll Infected: not-a-virus:AdWare.Win32.Kitsune.f 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\a.exe.vir Infected: Trojan-Downloader.Win32.Small.abni 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphc9ftj0e51g.exe.vir Infected: Trojan-Downloader.Win32.Small.ably 1
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe Infected: Backdoor.Win32.Bifrose.zlq 1

The selected area was scanned.


  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the kaspersky found a few infected files to remove (and some which are safely quarantined away), and i want to scan one to see if it was a false positive.

the potential false positive is D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe ..... i am guessing this is a real file, and not some malware?



====STEP 1====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Dan\Torrents\fakeshutdown.exe
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\zx2wx1nf.default\extensions\[email protected]\components\firebit.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal




In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the jotti log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#11
Kyossed

Kyossed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Actually, it's entirely possible that Beyond the Sword exe is malicious, as it is a No-CD crack that i downloaded to replace a dead Civ disk. Guess I should just pony up and get a new copy from best buy instead of skinflinting it. Various words, symbols, and numbers follow (in a log format)!


ComboFix Log:


ComboFix 08-08-21.02 - Dan 2008-08-24 21:24:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.238 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\System\Malware tools\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\System\Malware tools\CFScript.txt
* Created a new restore point

FILE ::
C:\Dan\Torrents\fakeshutdown.exe
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\zx2wx1nf.default\extensions\[email protected]\components\firebit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dan\Torrents\fakeshutdown.exe
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\zx2wx1nf.default\extensions\[email protected]\components\firebit.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 13:09 . 2008-08-24 13:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 13:09 . 2008-08-24 13:09 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Malwarebytes
2008-08-24 13:09 . 2008-08-24 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 13:09 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-24 13:09 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-24 13:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-23 03:14 . 2007-03-07 18:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-08-23 03:14 . 2007-03-07 18:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-23 03:14 . 2007-03-07 18:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-19 18:48 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-08-19 18:48 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-08-19 18:48 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-08-19 18:48 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-08-19 18:48 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-08-19 18:05 . 2008-08-19 18:05 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\InstallShield
2008-08-19 17:09 . 2008-08-24 13:00 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Hamachi
2008-08-19 17:08 . 2008-08-19 17:09 <DIR> d-------- C:\Program Files\Hamachi
2008-08-19 17:08 . 2008-08-19 17:08 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-19 12:21 . 2008-08-19 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 12:00 . 2008-08-19 12:00 <DIR> d-------- C:\VundoFix Backups
2008-08-19 06:05 . 2008-08-19 06:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-19 04:21 . 2008-08-19 04:21 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-08-17 04:11 . 2008-08-17 04:11 <DIR> d-------- C:\Program Files\Veoh Networks
2008-08-15 15:48 . 2008-08-15 16:12 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\FileZilla
2008-08-15 15:47 . 2008-08-15 15:47 <DIR> d-------- C:\Program Files\FileZilla FTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 21:59 --------- d-----w C:\Documents and Settings\Dan\Application Data\.gaim
2008-08-24 18:06 --------- d-----w C:\Program Files\Java
2008-08-24 17:55 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2008-08-23 08:15 --------- d-----w C:\Program Files\Winamp
2008-08-22 04:45 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-19 23:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 22:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Xfire
2006-01-08 19:43 349 ----a-w C:\Program Files\INSTALL.LOG
2005-07-11 03:41 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-12-18 17:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 13:46 10,960 ----a-w C:\Program Files\EULA.txt
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2001-08-23 07:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 00:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 00:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2006-01-12 21:01 2057344 c60248dde015b0a73871a16576b7a945 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2001-08-23 07:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 01:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 01:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2006-01-12 21:04 2187904 c3b84871dece94e335b96fafd756316c C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( [email protected]_17.37.52.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2005-06-03 07:24:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-06-03 07:24:14 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-06-03 08:52:56 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-08-24 17:59:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_66c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-12 20:13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 19:05 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2008-08-19 17:08:15 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Dan\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-05-12 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-01-12 20:13 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2006-01-13 01:46 196608 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 00:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 00:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 00:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-05 15:59 1266936 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-13 18:06 3660848 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2004-06-20 20:45 630854 C:\Program Files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 21:29:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-24 21:33:04
ComboFix-quarantined-files.txt 2008-08-25 02:32:38
ComboFix2.txt 2008-08-24 03:52:32
ComboFix3.txt 2008-08-23 22:38:43

Pre-Run: 3,957,833,728 bytes free
Post-Run: 3,994,587,136 bytes free

179


HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:16 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download with GetRight - Z:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - Z:\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{83A7F6A0-BCA3-4BC2-B68D-E151FB21AE02}: NameServer = 204.127.203.135,216.148.225.135
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 5681 bytes


Virustotal log (partial):

AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.24 -
Avast 4.8.1195.0 2008.08.23 -
AVG 8.0.0.161 2008.08.23 -
BitDefender 7.2 2008.08.24 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.24 -
DrWeb 4.44.0.09170 2008.08.24 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6044 2008.08.23 -
Ewido 4.0 2008.08.24 -
F-Prot 4.4.4.56 2008.08.24 -
F-Secure 7.60.13501.0 2008.08.24 -
Fortinet 3.14.0.0 2008.08.24 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.24 -
K7AntiVirus 7.10.427 2008.08.23 -
Kaspersky 7.0.0.125 2008.08.24 Backdoor.Win32.Bifrose.zlq
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.24 -
NOD32v2 3382 2008.08.23 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.24 -
PCTools 4.4.2.0 2008.08.24 -
Prevx1 V2 2008.08.24 -
Rising 20.58.62.00 2008.08.24 -
Sophos 4.32.0 2008.08.24 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.24 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.23 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.24 Worm.Win32.Malware.gen!94 (suspicious)

File size: 12656640 bytes MD5...: 30f438190b550d5b2b1d29261c9eb880 SHA1..: ca39decc819c436d914b57c3b7150eb35339cfc0 SHA256: bbe8f376429bd7d108ec2947977c69bea2dac9cf228bac4277e92eb444194d19 SHA512: 97b3b588743bc1ae5691fc5017776698bb0508cb9b0db3de49aa1e0eabd2440c
4e526486d7a24dd6774aac59c5cafc9de792bcebc9e70be8304802720e09368c PEiD..: - PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x91987a
timedatestamp.....: 0x48310000 (Mon May 19 04:20:16 2008)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6c0ec7 0x6c1000 6.59 02339b758f95c8c934ab99002cb3b003
.rdata 0x6c2000 0xf5ab0 0xf6000 5.51 09d28912abebc2099981f4848a120330
.data 0x7b8000 0x5c2f4 0x36000 5.54 73a50aa875dd53fa46e6e6d4f150fff4
.rwdata 0x815000 0xc67b8 0xc7000 4.36 b8272b224c4001eb7db9c883666d20a2
.tls 0x8dc000 0x9 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x8dd000 0x35b186 0x35c000 4.49 89a415b6c77d2fbcb373962dd9174e59

( 20 imports )
> boost_python_vc71_mt_1_32.dll: [email protected]@[email protected]@@[email protected][email protected]@[email protected], [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@@[email protected]@[email protected], [email protected]@[email protected]@@[email protected][email protected]@@Z, [email protected]@[email protected]@[email protected]@[email protected]@[email protected], [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@@YA_AUrvalue_from_python_stage
[email protected]@[email protected]@[email protected]@@Z, [email protected]@[email protected]@[email protected]@[email protected]@[email protected][email protected]@@Z
, [email protected]@[email protected]@@[email protected]@[email protected]@Z, [email protected]@[email protected]@[email protected]@[email protected]@@ZP6AX0PAUrvalue_f
[email protected]@@[email protected]@@Z, [email protected]@[email protected]@@[email protected]_$[email protected][email protected]@@[email protected]@Z, [email protected]@[email protected]@@[email protected]@[email protected][email protected]@ABU
_$[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]@[email protected]@@[email protected]@[email protected][email protected]@@Z, [email protected]@[email protected]@@[email protected]@A, [email protected]@[email protected]@@[email protected]@[email protected], [email protected]@[email protected]@@[email protected]@P6A_AU_$[email protected][email protected]@[email protected]@@[email protected]@[email protected]@Z, [email protected]@[email protected]@@[email protected]@[email protected]@Z, [email protected][email protected]@[email protected]@[email protected]@[email protected], [email protected][email protected]@[email protected]@[email protected]@[email protected], [email protected][email protected]@[email protected]@[email protected]@@Z, [email protected]@[email protected]@@[email protected]@[email protected], [email protected]@[email protected]@[email protected], [email protected]@[email protected]@[email protected], [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@@[email protected]@@Z, [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@@[email protected], _[email protected]@[email protected]@@[email protected]@[email protected], [email protected]@[email protected]@[email protected]@[email protected]@XZ, [email protected][email protected]@[email protected]@@UBEIXZ, [email protected]@[email protected]@@[email protected]@ABUregistration
@[email protected]@Z, [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@@[email protected]@@Z, [email protected]@[email protected]@@[email protected]@@Z, [email protected]@[email protected]@@[email protected][email protected]@@Z, [email protected]@[email protected]@@[email protected], [email protected][email protected]@[email protected]@@[email protected], [email protected][email protected]@[email protected]@@[email protected]@[email protected]@[email protected], [email protected]@[email protected]@@[email protected][email protected]@[email protected]@@ZP6AX3
[email protected]@[email protected]@[email protected]@@Z, [email protected]_$[email protected][email protected]@@[email protected]@@[email protected]@XZ, __1_$[email protected][email protected]@@[email protected]@@[email protected], [email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]@[email protected]@@[email protected][email protected]@@Z, [email protected]@[email protected]@YAXXZ, [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@@[email protected], [email protected]@[email protected]@[email protected]@[email protected], [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]@[email protected]@[email protected]@[email protected]@[email protected]
@Z, [email protected][email protected]@[email protected]@@[email protected]
> zlib1.dll: uncompress, compress, deflate, deflateInit_, inflate, inflateInit_, deflateEnd, inflateEnd, compressBound
> GDI32.dll: SetDIBitsToDevice, CreateFontIndirectA, GdiFlush, TextOutA, SetBkMode, SetMapMode, GetStockObject, SetBkColor, SetTextColor, CreateDIBSection, OffsetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, CreateRectRgn, BitBlt, DeleteDC, StretchBlt, SelectObject, CreateCompatibleDC, GetObjectA, DeleteObject, ExtCreateRegion, CreateRectRgnIndirect, GetRegionData, EnumFontFamiliesExA, SetTextCharacterExtra, GetTextMetricsW, GetOutlineTextMetricsW, GetTextMetricsA, GetOutlineTextMetricsA, GetCharABCWidthsA, GetCharABCWidthsW, GetCharWidth32A, GetTextExtentPoint32A, TextOutW, GetDeviceCaps
> binkw32.dll: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, WSAIoctl, -, WSASocketA, -
> MSVCP71.dll: [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QAEXXZ, __$_MDU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], __$_8DU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, __$_8DU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, __4_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __$_9DU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@XZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@Z, __A_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], __4_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, __$_9GU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], __$_8DU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NPBDABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@XZ, __$_9DU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, __$_8GU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@XZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@XZ, __$_MGU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __$_8GU_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@YA_NABV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBEPBDXZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __0_$[email protected]_$[email protected]@[email protected]@@[email protected]@[email protected]_$[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@[email protected], __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBEPBGXZ, [email protected]_$[email protected]@[email protected]@SAJXZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]@@YAXXZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBE_NXZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBEPBGXZ, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QAEXXZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@XZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@XZ, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected][email protected]@[email protected], __4_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], __4_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBEPBDXZ, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __1_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBEIXZ, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, __0_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __1_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected], [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@QBEIXZ, __Y_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, __Y_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __Y_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, __Y_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@[email protected]@Z, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@2IB, [email protected]_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@2IB
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
> python24.dll: PySequence_SetItem, PyInt_FromLong, PySequence_Size, PyMarshal_ReadObjectFromString, PyFloat_AsDouble, PyFloat_Type, PyLong_AsLong, PyLong_Type, PyString_AsString, PyType_IsSubtype, PyString_Type, PyRun_String, PyModule_GetDict, PyImport_AddModule, _Py_NoneStruct, PySequence_Check, PyDict_GetItemString, PyCallable_Check, PyObject_CallObject, PyTuple_SetItem, PySequence_DelSlice, PyInt_Type, Py_Finalize, Py_IsInitialized, PyImport_AppendInittab, Py_Initialize, PySys_SetArgv, PyImport_ImportModule, PyList_New, PyString_FromString, PyFloat_FromDouble, PySequence_GetItem, PyInt_AsLong, PyUnicode_Type, PyUnicodeUCS2_GetSize, PyUnicodeUCS2_AsWideChar, PyTuple_New, PyTuple_Size, PyMarshal_WriteObjectToString, PyString_AsStringAndSize, PyString_FromStringAndSize, PyBool_FromLong, PyUnicodeUCS2_FromWideChar, PyObject_IsInstance, PyTuple_Type, PyLong_FromUnsignedLong, PyList_Type, PyErr_Print, PyErr_Occurred, PyRun_SimpleString, PyDict_SetItemString, PyList_Append
> MSVCR71.dll: _wcsnicmp, [email protected]@Z, [email protected]@Z, [email protected]@[email protected]@@Z, [email protected]@[email protected], [email protected]@[email protected], modf, memmove, _purecall, ispunct, isspace, printf, _vsnprintf, sprintf, _stricmp, atoi, _time64, _localtime64, asctime, exit, swprintf, strstr, wcslen, strncpy, [email protected]@[email protected]@Z, [email protected]@@UBEPBDXZ, _strnicmp, ceil, rand, srand, floor, wcstombs, _vsnwprintf, time, localtime, strncmp, sscanf, towlower, iswctype, fprintf, fopen, fclose, strchr, wcscat, free, _isnan, strtok, __p___argv, atof, towupper, __RTDynamicCast, wcscmp, _wcsnset, _wcsdup, realloc, _msize, malloc, fwrite, fread, _wtoi, wcscpy, _wtof, remove, fflush, strrchr, _wcsicmp, wcsncmp, wcschr, __CxxFrameHandler, [email protected]@[email protected]@Z, _CxxThrowException, [email protected][email protected]@QBEPBDXZ, clock, _aligned_malloc, memcpy, memcmp, memset, iswdigit, strlen, strtol, strtoul, _atoi64, wcstod, _wtoi64, swscanf, atan2, sqrt, _itoa, _ultoa, _i64toa, _ui64toa, vsprintf, isdigit, _itow, _ultow, _i64tow, vswprintf, abs, wcsrchr, strftime, wcsftime, getenv, strcpy, strcmp, iswcntrl, labs, tan, bsearch, atan, qsort, _strnset, wcsstr, [email protected]@YAHPAGIPBGZZ, [email protected]@[email protected], mbstowcs, _fullpath, strncat, _stat, _resetstkoflw, _beginthreadex, _mbsicmp, strcspn, _strcmpi, _callnewh, _except_handler3, [email protected]@YAXXZ, __dllonexit, _onexit, [email protected]@[email protected], _c_exit, _exit, _XcptFilter, _ismbblead, _cexit, _acmdln, _amsg_exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __security_error_handler, _controlfp, _strlwr, _wcsupr, _strdup, _CIacos, _CIasin, _CIfmod, fseek, ftell, _splitpath, _makepath, _CIpow, tolower, _snprintf, fgetc, fscanf, toupper, _fstat, rewind, calloc, _iob
> KERNEL32.dll: LoadLibraryA, GetProcAddress, GetLocaleInfoA, InterlockedIncrement, InterlockedDecrement, GetACP, InterlockedExchange, GetThreadLocale, GetVersionExA, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, GetCurrentDirectoryA, GetModuleFileNameA, SetPriorityClass, GetCurrentProcess, CreateProcessA, Sleep, CreateDirectoryA, GetTimeFormatA, FindFirstFileA, FindNextFileA, FindClose, FreeLibrary, FormatMessageA, RaiseException, GetSystemTimeAsFileTime, ExitProcess, GetStartupInfoA, FindNextChangeNotification, WaitForSingleObjectEx, FindCloseChangeNotification, SystemTimeToFileTime, GetSystemTime, LocalAlloc, OutputDebugStringA, LocalFree, GetTickCount, GetModuleHandleA, SetUnhandledExceptionFilter, MulDiv, QueryPerformanceCounter, QueryPerformanceFrequency, InitializeCriticalSection, DeleteCriticalSection, WaitForSingleObject, CreateSemaphoreA, ReleaseSemaphore, CloseHandle, CreateThread, TerminateThread, ExitThread, InterlockedExchangeAdd, SuspendThread, ResumeThread, SetErrorMode, SetFilePointer, GetFileSize, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, VirtualAlloc, VirtualFree, CreateMutexA, CreateEventA, ResetEvent, SetEvent, GetLocalTime, GetLogicalDrives, FileTimeToSystemTime, FileTimeToLocalFileTime, GetFileInformationByHandle, CreateFileW, CreateFileA, DeleteFileW, DeleteFileA, MoveFileW, MoveFileA, GetTempFileNameW, GetTempFileNameA, GetFileAttributesW, GetFileAttributesA, SetFileAttributesW, SetFileAttributesA, GetCurrentDirectoryW, CreateDirectoryW, RemoveDirectoryW, RemoveDirectoryA, FindFirstFileW, FindNextFileW, GetSystemInfo, ReleaseMutex, GetCurrentThread, GetModuleFileNameW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, SetLastError, GetWindowsDirectoryW, GetSystemDirectoryW, GetDriveTypeA, IsBadWritePtr, GetCommandLineA, SetCurrentDirectoryA, ExpandEnvironmentStringsA, GetTempPathA, GetCurrentProcessId, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, GetLastError, CompareFileTime, lstrlenW, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, SleepEx, SetThreadPriority, WaitForMultipleObjects, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, FindFirstChangeNotificationA
> USER32.dll: WaitMessage, DialogBoxIndirectParamA, EndDialog, CreateWindowExW, CreateWindowExA, GetClipboardData, SetWindowRgn, InvalidateRgn, LoadCursorA, RegisterClassExW, RegisterClassExA, SetWindowLongA, GetUpdateRect, GetUpdateRgn, ValidateRgn, TrackMouseEvent, EnumClipboardFormats, SetFocus, SetClipboardData, GetWindowLongA, ValidateRect, GetWindowTextLengthW, GetWindowTextW, GetWindowTextLengthA, GetWindowTextA, SetWindowTextW, IsWindowVisible, MapVirtualKeyA, GetCapture, SetCapture, GetClipboardFormatNameA, GetClipboardSequenceNumber, FindWindowA, CloseClipboard, OpenClipboard, DefWindowProcW, DefWindowProcA, PostMessageA, IsIconic, PeekMessageA, MsgWaitForMultipleObjects, TranslateMessage, DispatchMessageA, SystemParametersInfoA, CreateIconIndirect, GetIconInfo, DestroyCursor, CopyIcon, InvertRect, DrawTextExA, DrawIconEx, FillRect, GetDoubleClickTime, InvalidateRect, EndPaint, BeginPaint, GetSystemMetrics, SetDlgItemTextA, SendMessageA, DestroyWindow, DestroyCursor, UpdateWindow, SetWindowTextA, EmptyClipboard, SetForegroundWindow, wsprintfA, MessageBeep, GetForegroundWindow, ReleaseCapture, GetDlgItem, LoadBitmapA, CreateDialogParamA, SendInput, SetKeyboardState, GetKeyboardState, GetKeyState, ShowWindow, ScreenToClient, SetCursorPos, ClientToScreen, GetClientRect, SetCursor, GetCursor, LoadCursorFromFileA, LoadImageA, MessageBoxA, GetWindowRect, GetDesktopWindow, GetWindowInfo, SetWindowPos, LoadIconA, SetClassLongA, GetDC, ReleaseDC, ShowCursor, GetAsyncKeyState, GetCursorPos
> ADVAPI32.dll: RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, GetUserNameA, RegCloseKey, RegQueryValueExA
> ole32.dll: CoCreateInstance, CoInitialize, CoUninitialize, CoCreateGuid
> SHELL32.dll: DragAcceptFiles, SHGetSpecialFolderPathW, ShellExecuteA, SHGetSpecialFolderPathA
> OLEAUT32.dll: -, -, -, -, -, -, -
> WINMM.dll: timeGetTime, timeBeginPeriod, timeEndPeriod
> d3dx9_33.dll: D3DXGetShaderInputSemantics, D3DXCompileShader, D3DXGetShaderVersion, D3DXCreateCubeTextureFromFileExA, D3DXCompileShaderFromFileA, D3DXGetShaderConstantTable, D3DXGetImageInfoFromFileInMemory, D3DXCreateTextureFromFileInMemory, D3DXCreateCubeTextureFromFileInMemory, D3DXCreateVolumeTextureFromFileExA, D3DXCreateTextureFromFileExA, D3DXCreateEffectFromFileA, D3DXCreateEffectCompilerFromFileA, D3DXAssembleShader, D3DXAssembleShaderFromFileA, D3DXGetPixelShaderProfile, D3DXDebugMute, D3DXMatrixMultiply, D3DXMatrixInverse, D3DXMatrixTranspose, D3DXSaveSurfaceToFileA, D3DXLoadSurfaceFromSurface, D3DXSaveTextureToFileA, D3DXCreateVolumeTextureFromFileInMemory, D3DXGetVertexShaderProfile
> mss32.dll: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
> hapdbg.dll: [email protected]@@YA_NXZ, [email protected]@@[email protected], [email protected]@@YAXAAV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@@Z, [email protected]@@YAXXZ, [email protected]@@YAXAAV_$[email protected]_$[email protected]@[email protected]@V_$[email protected]@[email protected]@[email protected]@@Z
> DSOUND.dll: -, -, -, -, -

( 1 exports )
initCvPythonExtensions

as for step 4, I hadn't been checking but apparently I have access to the screensaver and desktop settings again, and my sound is back to normal. Looks like whatever it was was nipped in the bud!

I have to say, thank you. This was one heckuva lifesaver, as this was my last functioning machine and I need some sort of link to the internet! :)


  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
just one file i want to check before we wrap this up. it is a valid microsoft file, but i dont recognise the size of it, indicating that perhaps it has been altered.

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\ntoskrnl.exe

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal
  • 0

#13
Kyossed

Kyossed

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sounds good to me. log follows:

Virustotal Log:


AhnLab-V3 2008.8.21.0 2008.08.25 -
AntiVir 7.8.1.23 2008.08.24 -
Authentium 5.1.0.4 2008.08.25 -
Avast 4.8.1195.0 2008.08.24 -
AVG 8.0.0.161 2008.08.24 -
BitDefender 7.2 2008.08.25 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.25 -
DrWeb 4.44.0.09170 2008.08.24 -
eSafe 7.0.17.0 2008.08.24 -
eTrust-Vet 31.6.6044 2008.08.23 -
Ewido 4.0 2008.08.24 -
F-Prot 4.4.4.56 2008.08.25 -
F-Secure 7.60.13501.0 2008.08.25 -
Fortinet 3.14.0.0 2008.08.25 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.24 -
K7AntiVirus 7.10.427 2008.08.23 -
Kaspersky 7.0.0.125 2008.08.25 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3383 2008.08.24 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.24 -
PCTools 4.4.2.0 2008.08.24 -
Prevx1 V2 2008.08.25 -
Rising 20.58.62.00 2008.08.24 -
Sophos 4.32.0 2008.08.25 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.25 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.25 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.24 -
Webwasher-Gateway 6.6.2 2008.08.25 -

Additional information
File size: 2187904 bytes
MD5...: c3b84871dece94e335b96fafd756316c
SHA1..: da964b943fe4c07424244380b1ba00f0c2aa33cc
SHA256: 13fc5541dd2f6866a0950475e02b46b70394274c7874d90a36b2777a599af554
SHA512: f977d55a255a8c0dee4459300deeac7b0443c500d03eea7eaf3234f26a61c215
f2804ab10d1c22f8713565684e592cfcf6ec9d9629dfd159fc15f31c5e0734a7
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5d55f6
timedatestamp.....: 0x433b2f93 (Thu Sep 29 00:04:35 2005)
machinetype.......: 0x14c (I386)

( 21 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x580 0x71951 0x71980 6.62 02922ea4668d31bf473c15b7ea986555
POOLMI 0x71f00 0x12b3 0x1300 6.32 66979a4015760a909c1182affe21f237
MISYSPTE 0x73200 0x700 0x700 6.27 0613a028fd2937f6ac55ee31b37f441e
POOLCODE 0x73900 0x15a0 0x1600 6.41 1fa48e35a695914b5b0f83db5cb6437f
.data 0x74f00 0x16ca0 0x16d00 0.46 f2f6de406c951cf2e1b6cd3083945f40
PAGE 0x8bc00 0xf8dec 0xf8e00 6.65 13d8dc4cf77d1ca3321313baf56422ff
PAGELK 0x184a00 0xe359 0xe380 6.73 e61720b7dd6871c71b2b8cc9289dac38
PAGEVRFY 0x192d80 0xf1cd 0xf200 6.69 c331b2a8271cb2fae09a90c1c677b3f5
PAGEWMI 0x1a1f80 0x17f2 0x1800 6.48 463f0e486da2e40b3e74bf70df4bce91
PAGEKD 0x1a3780 0x4052 0x4080 6.49 de5a631bb40308edd71111a1cac4aada
PAGESPEC 0x1a7800 0xc43 0xc80 6.33 6c4e74618b033d48f637b5c0af845663
PAGEHDLS 0x1a8480 0x1dd8 0x1e00 6.26 68d8087dc7f750c6faac1a6fb1888020
.edata 0x1aa280 0xb50a 0xb580 6.01 ecf0d90a69a2d28fb55f32c3204a6380
PAGEDATA 0x1b5800 0x1558 0x1580 2.72 852844ad922fd7c0e6f28acde1fde69a
PAGEKD 0x1b6d80 0xc021 0xc080 0.00 cbad60ee682dcc5a4588a519499cd3f3
PAGECONS 0x1c2e00 0x18c 0x200 2.22 b19861548e040fe2ff7c50d37753c648
PAGEVRFC 0x1c3000 0x3449 0x3480 5.25 76276063346ba256e182ace6c6c1c464
PAGEVRFD 0x1c6480 0x648 0x680 2.73 9b138317358351e4d96d6f1cbdcc8c79
INIT 0x1c6b00 0x2d7b8 0x2d800 6.52 e79308b42b492471289184abbdd208b3
.rsrc 0x1f4300 0x12508 0x12580 5.49 911244dbe4ea99948a94eccda6317202
.reloc 0x206880 0xf998 0xfa00 6.78 931be2aee34b761333826c654fca9391


( 3 imports )
> BOOTVID.dll: VidInitialize, VidDisplayString, VidSetTextColor, VidSolidColorFill, VidBitBlt, VidBufferToScreenBlt, VidScreenToBufferBlt, VidResetDisplay, VidCleanUp, VidSetScrollRegion
> HAL.dll: HalReportResourceUsage, HalAllProcessorsStarted, HalQueryRealTimeClock, HalAllocateAdapterChannel, KeStallExecutionProcessor, HalTranslateBusAddress, KfReleaseSpinLock, KfAcquireSpinLock, HalGetBusDataByOffset, HalSetBusDataByOffset, KeQueryPerformanceCounter, HalReturnToFirmware, READ_PORT_UCHAR, READ_PORT_USHORT, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_USHORT, WRITE_PORT_ULONG, HalInitializeProcessor, HalCalibratePerformanceCounter, HalSetRealTimeClock, HalHandleNMI, HalBeginSystemInterrupt, HalEndSystemInterrupt, KeRaiseIrqlToSynchLevel, KeAcquireInStackQueuedSpinLockRaiseToSynch, HalInitSystem, HalDisableSystemInterrupt, HalEnableSystemInterrupt, KeRaiseIrql, KeLowerIrql, HalClearSoftwareInterrupt, KeReleaseSpinLock, KeAcquireSpinLock, ExTryToAcquireFastMutex, KeAcquireSpinLockRaiseToSynch, KeFlushWriteBuffer, HalProcessorIdle, HalReadDmaCounter, IoMapTransfer, IoFreeMapRegisters, IoFreeAdapterChannel, IoFlushAdapterBuffers, HalFreeCommonBuffer, HalAllocateCommonBuffer, HalAllocateCrashDumpRegisters, HalGetAdapter, HalSetTimeIncrement, HalGetEnvironmentVariable, HalSetEnvironmentVariable, KfRaiseIrql, HalGetInterruptVector, KeGetCurrentIrql, HalRequestSoftwareInterrupt, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeRaiseIrqlToDpcLevel, HalSystemVectorDispatchEntry, KfLowerIrql, HalStartProfileInterrupt, HalSetProfileInterval, HalStopProfileInterrupt
> KDCOM.dll: KdD0Transition, KdD3Transition, KdRestore, KdReceivePacket, KdDebuggerInitialize0, KdSave, KdDebuggerInitialize1, KdSendPacket

( 1483 exports )
CcCanIWrite, CcCopyRead, CcCopyWrite, CcDeferWrite, CcFastCopyRead, CcFastCopyWrite, CcFastMdlReadWait, CcFastReadNotPossible, CcFastReadWait, CcFlushCache, CcGetDirtyPages, CcGetFileObjectFromBcb, CcGetFileObjectFromSectionPtrs, CcGetFlushedValidData, CcGetLsnForFileObject, CcInitializeCacheMap, CcIsThereDirtyData, CcMapData, CcMdlRead, CcMdlReadComplete, CcMdlWriteAbort, CcMdlWriteComplete, CcPinMappedData, CcPinRead, CcPrepareMdlWrite, CcPreparePinWrite, CcPurgeCacheSection, CcRemapBcb, CcRepinBcb, CcScheduleReadAhead, CcSetAdditionalCacheAttributes, CcSetBcbOwnerPointer, CcSetDirtyPageThreshold, CcSetDirtyPinnedData, CcSetFileSizes, CcSetLogHandleForFile, CcSetReadAheadGranularity, CcUninitializeCacheMap, CcUnpinData, CcUnpinDataForThread, CcUnpinRepinnedBcb, CcWaitForCurrentLazyWriterActivity, CcZeroData, CmRegisterCallback, CmUnRegisterCallback, DbgBreakPoint, DbgBreakPointWithStatus, DbgLoadImageSymbols, DbgPrint, DbgPrintEx, DbgPrintReturnControlC, DbgPrompt, DbgQueryDebugFilterState, DbgSetDebugFilterState, ExAcquireFastMutexUnsafe, ExAcquireResourceExclusiveLite, ExAcquireResourceSharedLite, ExAcquireRundownProtection, ExAcquireRundownProtectionEx, ExAcquireSharedStarveExclusive, ExAcquireSharedWaitForExclusive, ExAllocateFromPagedLookasideList, ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority, ExConvertExclusiveToSharedLite, ExCreateCallback, ExDeleteNPagedLookasideList, ExDeletePagedLookasideList, ExDeleteResourceLite, ExDesktopObjectType, ExDisableResourceBoostLite, ExEnumHandleTable, ExEventObjectType, ExExtendZone, ExFreePool, ExFreePoolWithTag, ExFreeToPagedLookasideList, ExGetCurrentProcessorCounts, ExGetCurrentProcessorCpuUsage, ExGetExclusiveWaiterCount, ExGetPreviousMode, ExGetSharedWaiterCount, ExInitializeNPagedLookasideList, ExInitializePagedLookasideList, ExInitializeResourceLite, ExInitializeRundownProtection, ExInitializeZone, ExInterlockedAddLargeInteger, ExInterlockedAddLargeStatistic, ExInterlockedAddUlong, ExInterlockedCompareExchange64, ExInterlockedDecrementLong, ExInterlockedExchangeUlong, ExInterlockedExtendZone, ExInterlockedFlushSList, ExInterlockedIncrementLong, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedPopEntryList, ExInterlockedPopEntrySList, ExInterlockedPushEntryList, ExInterlockedPushEntrySList, ExInterlockedRemoveHeadList, ExIsProcessorFeaturePresent, ExIsResourceAcquiredExclusiveLite, ExIsResourceAcquiredSharedLite, ExLocalTimeToSystemTime, ExNotifyCallback, ExQueryPoolBlockSize, ExQueueWorkItem, ExRaiseAccessViolation, ExRaiseDatatypeMisalignment, ExRaiseException, ExRaiseHardError, ExRaiseStatus, ExReInitializeRundownProtection, ExRegisterCallback, ExReinitializeResourceLite, ExReleaseFastMutexUnsafe, ExReleaseResourceForThreadLite, ExReleaseResourceLite, ExReleaseRundownProtection, ExReleaseRundownProtectionEx, ExRundownCompleted, ExSemaphoreObjectType, ExSetResourceOwnerPointer, ExSetTimerResolution, ExSystemExceptionFilter, ExSystemTimeToLocalTime, ExUnregisterCallback, ExUuidCreate, ExVerifySuite, ExWaitForRundownProtectionRelease, ExWindowStationObjectType, ExfAcquirePushLockExclusive, ExfAcquirePushLockShared, ExfInterlockedAddUlong, ExfInterlockedCompareExchange64, ExfInterlockedInsertHeadList, ExfInterlockedInsertTailList, ExfInterlockedPopEntryList, ExfInterlockedPushEntryList, ExfInterlockedRemoveHeadList, ExfReleasePushLock, Exfi386InterlockedDecrementLong, Exfi386InterlockedExchangeUlong, Exfi386InterlockedIncrementLong, Exi386InterlockedDecrementLong, Exi386InterlockedExchangeUlong, Exi386InterlockedIncrementLong, FsRtlAcquireFileExclusive, FsRtlAddLargeMcbEntry, FsRtlAddMcbEntry, FsRtlAddToTunnelCache, FsRtlAllocateFileLock, FsRtlAllocatePool, FsRtlAllocatePoolWithQuota, FsRtlAllocatePoolWithQuotaTag, FsRtlAllocatePoolWithTag, FsRtlAllocateResource, FsRtlAreNamesEqual, FsRtlBalanceReads, FsRtlCheckLockForReadAccess, FsRtlCheckLockForWriteAccess, FsRtlCheckOplock, FsRtlCopyRead, FsRtlCopyWrite, FsRtlCurrentBatchOplock, FsRtlDeleteKeyFromTunnelCache, FsRtlDeleteTunnelCache, FsRtlDeregisterUncProvider, FsRtlDissectDbcs, FsRtlDissectName, FsRtlDoesDbcsContainWildCards, FsRtlDoesNameContainWildCards, FsRtlFastCheckLockForRead, FsRtlFastCheckLockForWrite, FsRtlFastUnlockAll, FsRtlFastUnlockAllByKey, FsRtlFastUnlockSingle, FsRtlFindInTunnelCache, FsRtlFreeFileLock, FsRtlGetFileSize, FsRtlGetNextFileLock, FsRtlGetNextLargeMcbEntry, FsRtlGetNextMcbEntry, FsRtlIncrementCcFastReadNoWait, FsRtlIncrementCcFastReadNotPossible, FsRtlIncrementCcFastReadResourceMiss, FsRtlIncrementCcFastReadWait, FsRtlInitializeFileLock, FsRtlInitializeLargeMcb, FsRtlInitializeMcb, FsRtlInitializeOplock, FsRtlInitializeTunnelCache, FsRtlInsertPerFileObjectContext, FsRtlInsertPerStreamContext, FsRtlIsDbcsInExpression, FsRtlIsFatDbcsLegal, FsRtlIsHpfsDbcsLegal, FsRtlIsNameInExpression, FsRtlIsNtstatusExpected, FsRtlIsPagingFile, FsRtlIsTotalDeviceFailure, FsRtlLegalAnsiCharacterArray, FsRtlLookupLargeMcbEntry, FsRtlLookupLastLargeMcbEntry, FsRtlLookupLastLargeMcbEntryAndIndex, FsRtlLookupLastMcbEntry, FsRtlLookupMcbEntry, FsRtlLookupPerFileObjectContext, FsRtlLookupPerStreamContextInternal, FsRtlMdlRead, FsRtlMdlReadComplete, FsRtlMdlReadCompleteDev, FsRtlMdlReadDev, FsRtlMdlWriteComplete, FsRtlMdlWriteCompleteDev, FsRtlNormalizeNtstatus, FsRtlNotifyChangeDirectory, FsRtlNotifyCleanup, FsRtlNotifyFilterChangeDirectory, FsRtlNotifyFilterReportChange, FsRtlNotifyFullChangeDirectory, FsRtlNotifyFullReportChange, FsRtlNotifyInitializeSync, FsRtlNotifyReportChange, FsRtlNotifyUninitializeSync, FsRtlNotifyVolumeEvent, FsRtlNumberOfRunsInLargeMcb, FsRtlNumberOfRunsInMcb, FsRtlOplockFsctrl, FsRtlOplockIsFastIoPossible, FsRtlPostPagingFileStackOverflow, FsRtlPostStackOverflow, FsRtlPrepareMdlWrite, FsRtlPrepareMdlWriteDev, FsRtlPrivateLock, FsRtlProcessFileLock, FsRtlRegisterFileSystemFilterCallbacks, FsRtlRegisterUncProvider, FsRtlReleaseFile, FsRtlRemoveLargeMcbEntry, FsRtlRemoveMcbEntry, FsRtlRemovePerFileObjectContext, FsRtlRemovePerStreamContext, FsRtlResetLargeMcb, FsRtlSplitLargeMcb, FsRtlSyncVolumes, FsRtlTeardownPerStreamContexts, FsRtlTruncateLargeMcb, FsRtlTruncateMcb, FsRtlUninitializeFileLock, FsRtlUninitializeLargeMcb, FsRtlUninitializeMcb, FsRtlUninitializeOplock, HalDispatchTable, HalExamineMBR, HalPrivateDispatchTable, HeadlessDispatch, InbvAcquireDisplayOwnership, InbvCheckDisplayOwnership, InbvDisplayString, InbvEnableBootDriver, InbvEnableDisplayString, InbvInstallDisplayStringFilter, InbvIsBootDriverInstalled, InbvNotifyDisplayOwnershipLost, InbvResetDisplay, InbvSetScrollRegion, InbvSetTextColor, InbvSolidColorFill, InitSafeBootMode, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, IoAcquireCancelSpinLock, IoAcquireRemoveLockEx, IoAcquireVpbSpinLock, IoAdapterObjectType, IoAllocateAdapterChannel, IoAllocateController, IoAllocateDriverObjectExtension, IoAllocateErrorLogEntry, IoAllocateIrp, IoAllocateMdl, IoAllocateWorkItem, IoAssignDriveLetters, IoAssignResources, IoAttachDevice, IoAttachDeviceByPointer, IoAttachDeviceToDeviceStack, IoAttachDeviceToDeviceStackSafe, IoBuildAsynchronousFsdRequest, IoBuildDeviceIoControlRequest, IoBuildPartialMdl, IoBuildSynchronousFsdRequest, IoCallDriver, IoCancelFileOpen, IoCancelIrp, IoCheckDesiredAccess, IoCheckEaBufferValidity, IoCheckFunctionAccess, IoCheckQuerySetFileInformation, IoCheckQuerySetVolumeInformation, IoCheckQuotaBufferValidity, IoCheckShareAccess, IoCompleteRequest, IoConnectInterrupt, IoCreateController, IoCreateDevice, IoCreateDisk, IoCreateDriver, IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, IoCreateNotificationEvent, IoCreateStreamFileObject, IoCreateStreamFileObjectEx, IoCreateStreamFileObjectLite, IoCreateSymbolicLink, IoCreateSynchronizationEvent, IoCreateUnprotectedSymbolicLink, IoCsqInitialize, IoCsqInsertIrp, IoCsqRemoveIrp, IoCsqRemoveNextIrp, IoDeleteController, IoDeleteDevice, IoDeleteDriver, IoDeleteSymbolicLink, IoDetachDevice, IoDeviceHandlerObjectSize, IoDeviceHandlerObjectType, IoDeviceObjectType, IoDisconnectInterrupt, IoDriverObjectType, IoEnqueueIrp, IoEnumerateDeviceObjectList, IoFastQueryNetworkAttributes, IoFileObjectType, IoForwardAndCatchIrp, IoForwardIrpSynchronously, IoFreeController, IoFreeErrorLogEntry, IoFreeIrp, IoFreeMdl, IoFreeWorkItem, IoGetAttachedDevice, IoGetAttachedDeviceReference, IoGetBaseFileSystemDeviceObject, IoGetBootDiskInformation, IoGetConfigurationInformation, IoGetCurrentProcess, IoGetDeviceAttachmentBaseRef, IoGetDeviceInterfaceAlias, IoGetDeviceInterfaces, IoGetDeviceObjectPointer, IoGetDeviceProperty, IoGetDeviceToVerify, IoGetDiskDeviceObject, IoGetDmaAdapter, IoGetDriverObjectExtension, IoGetFileObjectGenericMapping, IoGetInitialStack, IoGetLowerDeviceObject, IoGetRelatedDeviceObject, IoGetRequestorProcess, IoGetRequestorProcessId, IoGetRequestorSessionId, IoGetStackLimits, IoGetTopLevelIrp, IoInitializeIrp, IoInitializeRemoveLockEx, IoInitializeTimer, IoInvalidateDeviceRelations, IoInvalidateDeviceState, IoIsFileOriginRemote, IoIsOperationSynchronous, IoIsSystemThread, IoIsValidNameGraftingBuffer, IoIsWdmVersionAvailable, IoMakeAssociatedIrp, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, IoPageRead, IoPnPDeliverServicePowerNotification, IoQueryDeviceDescription, IoQueryFileDosDeviceName, IoQueryFileInformation, IoQueryVolumeInformation, IoQueueThreadIrp, IoQueueWorkItem, IoRaiseHardError, IoRaiseInformationalHardError, IoReadDiskSignature, IoReadOperationCount, IoReadPartitionTable, IoReadPartitionTableEx, IoReadTransferCount, IoRegisterBootDriverReinitialization, IoRegisterDeviceInterface, IoRegisterDriverReinitialization, IoRegisterFileSystem, IoRegisterFsRegistrationChange, IoRegisterLastChanceShutdownNotification, IoRegisterPlugPlayNotification, IoRegisterShutdownNotification, IoReleaseCancelSpinLock, IoReleaseRemoveLockAndWaitEx, IoReleaseRemoveLockEx, IoReleaseVpbSpinLock, IoRemoveShareAccess, IoReportDetectedDevice, IoReportHalResourceUsage, IoReportResourceForDetection, IoReportResourceUsage, IoReportTargetDeviceChange, IoReportTargetDeviceChangeAsynchronous, IoRequestDeviceEject, IoReuseIrp, IoSetCompletionRoutineEx, IoSetDeviceInterfaceState, IoSetDeviceToVerify, IoSetFileOrigin, IoSetHardErrorOrVerifyDevice, IoSetInformation, IoSetIoCompletion, IoSetPartitionInformation, IoSetPartitionInformationEx, IoSetShareAccess, IoSetStartIoAttributes, IoSetSystemPartition, IoSetThreadHardErrorMode, IoSetTopLevelIrp, IoStartNextPacket, IoStartNextPacketByKey, IoStartPacket, IoStartTimer, IoStatisticsLock, IoStopTimer, IoSynchronousInvalidateDeviceRelations, IoSynchronousPageWrite, IoThreadToProcess, IoUnregisterFileSystem, IoUnregisterFsRegistrationChange, IoUnregisterPlugPlayNotification, IoUnregisterShutdownNotification, IoUpdateShareAccess, IoValidateDeviceIoControlAccess, IoVerifyPartitionTable, IoVerifyVolume, IoVolumeDeviceToDosName, IoWMIAllocateInstanceIds, IoWMIDeviceObjectToInstanceName, IoWMIExecuteMethod, IoWMIHandleToInstanceName, IoWMIOpenBlock, IoWMIQueryAllData, IoWMIQueryAllDataMultiple, IoWMIQuerySingleInstance, IoWMIQuerySingleInstanceMultiple, IoWMIRegistrationControl, IoWMISetNotificationCallback, IoWMISetSingleInstance, IoWMISetSingleItem, IoWMISuggestInstanceName, IoWMIWriteEvent, IoWriteErrorLogEntry, IoWriteOperationCount, IoWritePartitionTable, IoWritePartitionTableEx, IoWriteTransferCount, IofCallDriver, IofCompleteRequest, KdDebuggerEnabled, KdDebuggerNotPresent, KdDisableDebugger, KdEnableDebugger, KdEnteredDebugger, KdPollBreakIn, KdPowerTransition, Ke386CallBios, Ke386IoSetAccessProcess, Ke386QueryIoAccessMap, Ke386SetIoAccessMap, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeAcquireInterruptSpinLock, KeAcquireSpinLockAtDpcLevel, KeAddSystemServiceTable, KeAreApcsDisabled, KeAttachProcess, KeBugCheck, KeBugCheckEx, KeCancelTimer, KeCapturePersistentThreadState, KeClearEvent, KeConnectInterrupt, KeDcacheFlushCount, KeDelayExecutionThread, KeDeregisterBugCheckCallback, KeDeregisterBugCheckReasonCallback, KeDetachProcess, KeDisconnectInterrupt, KeEnterCriticalRegion, KeEnterKernelDebugger, KeFindConfigurationEntry, KeFindConfigurationNextEntry, KeFlushEntireTb, KeFlushQueuedDpcs, KeGetCurrentThread, KeGetPreviousMode, KeGetRecommendedSharedDataAlignment, KeI386AbiosCall, KeI386AllocateGdtSelectors, KeI386Call16BitCStyleFunction, KeI386Call16BitFunction, KeI386FlatToGdtSelector, KeI386GetLid, KeI386MachineType, KeI386ReleaseGdtSelectors, KeI386ReleaseLid, KeI386SetGdtSelector, KeIcacheFlushCount, KeInitializeApc, KeInitializeDeviceQueue, KeInitializeDpc, KeInitializeEvent, KeInitializeInterrupt, KeInitializeMutant, KeInitializeMutex, KeInitializeQueue, KeInitializeSemaphore, KeInitializeSpinLock, KeInitializeTimer, KeInitializeTimerEx, KeInsertByKeyDeviceQueue, KeInsertDeviceQueue, KeInsertHeadQueue, KeInsertQueue, KeInsertQueueApc, KeInsertQueueDpc, KeIsAttachedProcess, KeIsExecutingDpc, KeLeaveCriticalRegion, KeLoaderBlock, KeNumberProcessors, KeProfileInterrupt, KeProfileInterruptWithSource, KePulseEvent, KeQueryActiveProcessors, KeQueryInterruptTime, KeQueryPriorityThread, KeQueryRuntimeThread, KeQuerySystemTime, KeQueryTickCount, KeQueryTimeIncrement, KeRaiseUserException, KeReadStateEvent, KeReadStateMutant, KeReadStateMutex, KeReadStateQueue, KeReadStateSemaphore, KeReadStateTimer, KeRegisterBugCheckCallback, KeRegisterBugCheckReasonCallback, KeReleaseInStackQueuedSpinLockFromDpcLevel, KeReleaseInterruptSpinLock, KeReleaseMutant, KeReleaseMutex, KeReleaseSemaphore, KeReleaseSpinLockFromDpcLevel, KeRemoveByKeyDeviceQueue, KeRemoveByKeyDeviceQueueIfBusy, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, KeRemoveQueue, KeRemoveQueueDpc, KeRemoveSystemServiceTable, KeResetEvent, KeRestoreFloatingPointState, KeRevertToUserAffinityThread, KeRundownQueue, KeSaveFloatingPointState, KeSaveStateForHibernate, KeServiceDescriptorTable, KeSetAffinityThread, KeSetBasePriorityThread, KeSetDmaIoCoherency, KeSetEvent, KeSetEventBoostPriority, KeSetIdealProcessorThread, KeSetImportanceDpc, KeSetKernelStackSwapEnable, KeSetPriorityThread, KeSetProfileIrql, KeSetSystemAffinityThread, KeSetTargetProcessorDpc, KeSetTimeIncrement, KeSetTimeUpdateNotifyRoutine, KeSetTimer, KeSetTimerEx, KeStackAttachProcess, KeSynchronizeExecution, KeTerminateThread, KeTickCount, KeUnstackDetachProcess, KeUpdateRunTime, KeUpdateSystemTime, KeUserModeCallback, KeWaitForMultipleObjects, KeWaitForMutexObject, KeWaitForSingleObject, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, Kei386EoiHelper, KiAcquireSpinLock, KiBugCheckData, KiCoprocessorError, KiDeliverApc, KiDispatchInterrupt, KiEnableTimerWatchdog, KiIpiServiceRoutine, KiReleaseSpinLock, KiUnexpectedInterrupt, Kii386SpinOnSpinLock, LdrAccessResource, LdrEnumResources, LdrFindResourceDirectory_U, LdrFindResource_U, LpcPortObjectType, LpcRequestPort, LpcRequestWaitReplyPort, LsaCallAuthenticationPackage, LsaDeregisterLogonProcess, LsaFreeReturnBuffer, LsaLogonUser, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, Mm64BitPhysicalAddress, MmAddPhysicalMemory, MmAddVerifierThunks, MmAdjustWorkingSetSize, MmAdvanceMdl, MmAllocateContiguousMemory, MmAllocateContiguousMemorySpecifyCache, MmAllocateMappingAddress, MmAllocateNonCachedMemory, MmAllocatePagesForMdl, MmBuildMdlForNonPagedPool, MmCanFileBeTruncated, MmCommitSessionMappedView, MmCreateMdl, MmCreateSection, MmDisableModifiedWriteOfSection, MmFlushImageSection, MmForceSectionClosed, MmFreeContiguousMemory, MmFreeContiguousMemorySpecifyCache, MmFreeMappingAddress, MmFreeNonCachedMemory, MmFreePagesFromMdl, MmGetPhysicalAddress, MmGetPhysicalMemoryRanges, MmGetSystemRoutineAddress, MmGetVirtualForPhysical, MmGrowKernelStack, MmHighestUserAddress, MmIsAddressValid, MmIsDriverVerifying, MmIsNonPagedSystemAddressValid, MmIsRecursiveIoFault, MmIsThisAnNtAsSystem, MmIsVerifierEnabled, MmLockPagableDataSection, MmLockPagableImageSection, MmLockPagableSectionByHandle, MmMapIoSpace, MmMapLockedPages, MmMapLockedPagesSpecifyCache, MmMapLockedPagesWithReservedMapping, MmMapMemoryDumpMdl, MmMapUserAddressesToPage, MmMapVideoDisplay, MmMapViewInSessionSpace, MmMapViewInSystemSpace, MmMapViewOfSection, MmMarkPhysicalMemoryAsBad, MmMarkPhysicalMemoryAsGood, MmPageEntireDriver, MmPrefetchPages, MmProbeAndLockPages, MmProbeAndLockProcessPages, MmProbeAndLockSelectedPages, MmProtectMdlSystemAddress, MmQuerySystemSize, MmRemovePhysicalMemory, MmResetDriverPaging, MmSectionObjectType, MmSecureVirtualMemory, MmSetAddressRangeModified, MmSetBankedSection, MmSizeOfMdl, MmSystemRangeStart, MmTrimAllSystemPagableMemory, MmUnlockPagableImageSection, MmUnlockPages, MmUnmapIoSpace, MmUnmapLockedPages, MmUnmapReservedMapping, MmUnmapVideoDisplay, MmUnmapViewInSessionSpace, MmUnmapViewInSystemSpace, MmUnmapViewOfSection, MmUnsecureVirtualMemory, MmUserProbeAddress, NlsAnsiCodePage, NlsLeadByteInfo, NlsMbCodePageTag, NlsMbOemCodePageTag, NlsOemCodePage, NlsOemLeadByteInfo, NtAddAtom, NtAdjustPrivilegesToken, NtAllocateLocallyUniqueId, NtAllocateUuids, NtAllocateVirtualMemory, NtBuildNumber, NtClose, NtConnectPort, NtCreateEvent, NtCreateFile, NtCreateSection, NtDeleteAtom, NtDeleteFile, NtDeviceIoControlFile, NtDuplicateObject, NtDuplicateToken, NtFindAtom, NtFreeVirtualMemory, NtFsControlFile, NtGlobalFlag, NtLockFile, NtMakePermanentObject, NtMapViewOfSection, NtNotifyChangeDirectoryFile, NtOpenFile, NtOpenProcess, NtOpenProcessToken, NtOpenProcessTokenEx, NtOpenThread, NtOpenThreadToken, NtOpenThreadTokenEx, NtQueryDirectoryFile, NtQueryEaFile, NtQueryInformationAtom, NtQueryInformationFile, NtQueryInformationProcess, NtQueryInformationThread, NtQueryInformationToken, NtQueryQuotaInformationFile, NtQuerySecurityObject, NtQuerySystemInformation, NtQueryVolumeInformationFile, NtReadFile, NtRequestPort, NtRequestWaitReplyPort, NtSetEaFile, NtSetEvent, NtSetInformationFile, NtSetInformationProcess, NtSetInformationThread, NtSetQuotaInformationFile, NtSetSecurityObject, NtSetVolumeInformationFile, NtShutdownSystem, NtTraceEvent, NtUnlockFile, NtVdmControl, NtWaitForSingleObject, NtWriteFile, ObAssignSecurity, ObCheckCreateObjectAccess, ObCheckObjectAccess, ObCloseHandle, ObCreateObject, ObCreateObjectType, ObDereferenceObject, ObDereferenceSecurityDescriptor, ObFindHandleForObject, ObGetObjectSecurity, ObInsertObject, ObLogSecurityDescriptor, ObMakeTemporaryObject, ObOpenObjectByName, ObOpenObjectByPointer, ObQueryNameString, ObQueryObjectAuditingByHandle, ObReferenceObjectByHandle, ObReferenceObjectByName, ObReferenceObjectByPointer, ObReferenceSecurityDescriptor, ObReleaseObjectSecurity, ObSetHandleAttributes, ObSetSecurityDescriptorInfo, ObSetSecurityObjectByPointer, ObfDereferenceObject, ObfReferenceObject, PfxFindPrefix, PfxInitialize, PfxInsertPrefix, PfxRemovePrefix, PoCallDriver, PoCancelDeviceNotify, PoQueueShutdownWorkItem, PoRegisterDeviceForIdleDetection, PoRegisterDeviceNotify, PoRegisterSystemState, PoRequestPowerIrp, PoRequestShutdownEvent, PoSetHiberRange, PoSetPowerState, PoSetSystemState, PoShutdownBugCheck, PoStartNextPowerIrp, PoUnregisterSystemState, ProbeForRead, ProbeForWrite, PsAssignImpersonationToken, PsChargePoolQuota, PsChargeProcessNonPagedPoolQuota, PsChargeProcessPagedPoolQuota, PsChargeProcessPoolQuota, PsCreateSystemProcess, PsCreateSystemThread, PsDereferenceImpersonationToken, PsDereferencePrimaryToken, PsDisableImpersonation, PsEstablishWin32Callouts, PsGetContextThread, PsGetCurrentProcess, PsGetCurrentProcessId, PsGetCurrentProcessSessionId, PsGetCurrentThread, PsGetCurrentThreadId, PsGetCurrentThreadPreviousMode, PsGetCurrentThreadStackBase, PsGetCurrentThreadStackLimit, PsGetJobLock, PsGetJobSessionId, PsGetJobUIRestrictionsClass, PsGetProcessCreateTimeQuadPart, PsGetProcessDebugPort, PsGetProcessExitProcessCalled, PsGetProcessExitStatus, PsGetProcessExitTime, PsGetProcessId, PsGetProcessImageFileName, PsGetProcessInheritedFromUniqueProcessId, PsGetProcessJob, PsGetProcessPeb, PsGetProcessPriorityClass, PsGetProcessSectionBaseAddress, PsGetProcessSecurityPort, PsGetProcessSessionId, PsGetProcessWin32Process, PsGetProcessWin32WindowStation, PsGetThreadFreezeCount, PsGetThreadHardErrorsAreDisabled, PsGetThreadId, PsGetThreadProcess, PsGetThreadProcessId, PsGetThreadSessionId, PsGetThreadTeb, PsGetThreadWin32Thread, PsGetVersion, PsImpersonateClient, PsInitialSystemProcess, PsIsProcessBeingDebugged, PsIsSystemThread, PsIsThreadImpersonating, PsIsThreadTerminating, PsJobType, PsLookupProcessByProcessId, PsLookupProcessThreadByCid, PsLookupThreadByThreadId, PsProcessType, PsReferenceImpersonationToken, PsReferencePrimaryToken, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, PsRestoreImpersonation, PsReturnPoolQuota, PsReturnProcessNonPagedPoolQuota, PsReturnProcessPagedPoolQuota, PsRevertThreadToSelf, PsRevertToSelf, PsSetContextThread, PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetJobUIRestrictionsClass, PsSetLegoNotifyRoutine, PsSetLoadImageNotifyRoutine, PsSetProcessPriorityByClass, PsSetProcessPriorityClass, PsSetProcessSecurityPort, PsSetProcessWin32Process, PsSetProcessWindowStation, PsSetThreadHardErrorsAreDisabled, PsSetThreadWin32Thread, PsTerminateSystemThread, PsThreadType, READ_REGISTER_BUFFER_UCHAR, READ_REGISTER_BUFFER_ULONG, READ_REGISTER_BUFFER_USHORT, READ_REGISTER_UCHAR, READ_REGISTER_ULONG, READ_REGISTER_USHORT, RtlAbsoluteToSelfRelativeSD, RtlAddAccessAllowedAce, RtlAddAccessAllowedAceEx, RtlAddAce, RtlAddAtomToAtomTable, RtlAddRange, RtlAllocateHeap, RtlAnsiCharToUnicodeChar, RtlAnsiStringToUnicodeSize, RtlAnsiStringToUnicodeString, RtlAppendAsciizToString, RtlAppendStringToString, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlAreAllAccessesGranted, RtlAreAnyAccessesGranted, RtlAreBitsClear, RtlAreBitsSet, RtlAssert, RtlCaptureContext, RtlCaptureStackBackTrace, RtlCharToInteger, RtlCheckRegistryKey, RtlClearAllBits, RtlClearBit, RtlClearBits, RtlCompareMemory, RtlCompareMemoryUlong, RtlCompareString, RtlCompareUnicodeString, RtlCompressBuffer, RtlCompressChunks, RtlConvertLongToLargeInteger, RtlConvertSidToUnicodeString, RtlConvertUlongToLargeInteger, RtlCopyLuid, RtlCopyRangeList, RtlCopySid, RtlCopyString, RtlCopyUnicodeString, RtlCreateAcl, RtlCreateAtomTable, RtlCreateHeap, RtlCreateRegistryKey, RtlCreateSecurityDescriptor, RtlCreateSystemVolumeInformationFolder, RtlCreateUnicodeString, RtlCustomCPToUnicodeN, RtlDecompressBuffer, RtlDecompressChunks, RtlDecompressFragment, RtlDelete, RtlDeleteAce, RtlDeleteAtomFromAtomTable, RtlDeleteElementGenericTable, RtlDeleteElementGenericTableAvl, RtlDeleteNoSplay, RtlDeleteOwnersRanges, RtlDeleteRange, RtlDeleteRegistryValue, RtlDescribeChunk, RtlDestroyAtomTable, RtlDestroyHeap, RtlDowncaseUnicodeString, RtlEmptyAtomTable, RtlEnlargedIntegerMultiply, RtlEnlargedUnsignedDivide, RtlEnlargedUnsignedMultiply, RtlEnumerateGenericTable, RtlEnumerateGenericTableAvl, RtlEnumerateGenericTableLikeADirectory, RtlEnumerateGenericTableWithoutSplaying, RtlEnumerateGenericTableWithoutSplayingAvl, RtlEqualLuid, RtlEqualSid, RtlEqualString, RtlEqualUnicodeString, RtlExtendedIntegerMultiply, RtlExtendedLargeIntegerDivide, RtlExtendedMagicDivide, RtlFillMemory, RtlFillMemoryUlong, RtlFindClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, RtlFindFirstRunClear, RtlFindLastBackwardRunClear, RtlFindLeastSignificantBit, RtlFindLongestRunClear, RtlFindMessage, RtlFindMostSignificantBit, RtlFindNextForwardRunClear, RtlFindRange, RtlFindSetBits, RtlFindSetBitsAndClear, RtlFindUnicodePrefix, RtlFormatCurrentUserKeyPath, RtlFreeAnsiString, RtlFreeHeap, RtlFreeOemString, RtlFreeRangeList, RtlFreeUnicodeString, RtlGUIDFromString, RtlGenerate8dot3Name, RtlGetAce, RtlGetCallersAddress, RtlGetCompressionWorkSpaceSize, RtlGetDaclSecurityDescriptor, RtlGetDefaultCodePage, RtlGetElementGenericTable, RtlGetElementGenericTableAvl, RtlGetFirstRange, RtlGetGroupSecurityDescriptor, RtlGetNextRange, RtlGetNtGlobalFlags, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetSetBootStatusData, RtlGetVersion, RtlHashUnicodeString, RtlImageDirectoryEntryToData, RtlImageNtHeader, RtlInitAnsiString, RtlInitCodePageTable, RtlInitString, RtlInitUnicodeString, RtlInitializeBitMap, RtlInitializeGenericTable, RtlInitializeGenericTableAvl, RtlInitializeRangeList, RtlInitializeSid, RtlInitializeUnicodePrefix, RtlInsertElementGenericTable, RtlInsertElementGenericTableAvl, RtlInsertElementGenericTableFull, RtlInsertElementGenericTableFullAvl, RtlInsertUnicodePrefix, RtlInt64ToUnicodeString, RtlIntegerToChar, RtlIntegerToUnicode, RtlIntegerToUnicodeString, RtlInvertRangeList, RtlIpv4AddressToStringA, RtlIpv4AddressToStringExA, RtlIpv4AddressToStringExW, RtlIpv4AddressToStringW, RtlIpv4StringToAddressA, RtlIpv4StringToAddressExA, RtlIpv4StringToAddressExW, RtlIpv4StringToAddressW, RtlIpv6AddressToStringA, RtlIpv6AddressToStringExA, RtlIpv6AddressToStringExW, RtlIpv6AddressToStringW, RtlIpv6StringToAddressA, RtlIpv6StringToAddressExA, RtlIpv6StringToAddressExW, RtlIpv6StringToAddressW, RtlIsGenericTableEmpty, RtlIsGenericTableEmptyAvl, RtlIsNameLegalDOS8Dot3, RtlIsRangeAvailable, RtlIsValidOemCharacter, RtlLargeIntegerAdd, RtlLargeIntegerArithmeticShift, RtlLargeIntegerDivide, RtlLargeIntegerNegate, RtlLargeIntegerShiftLeft, RtlLargeIntegerShiftRight, RtlLargeIntegerSubtract, RtlLengthRequiredSid, RtlLengthSecurityDescriptor, RtlLengthSid, RtlLockBootStatusData, RtlLookupAtomInAtomTable, RtlLookupElementGenericTable, RtlLookupElementGenericTableAvl, RtlLookupElementGenericTableFull, RtlLookupElementGenericTableFullAvl, RtlMapGenericMask, RtlMapSecurityErrorToNtStatus, RtlMergeRangeLists, RtlMoveMemory, RtlMultiByteToUnicodeN, RtlMultiByteToUnicodeSize, RtlNextUnicodePrefix, RtlNtStatusToDosError, RtlNtStatusToDosErrorNoTeb, RtlNumberGenericTableElements, RtlNumberGenericTableElementsAvl, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlOemStringToCountedUnicodeString, RtlOemStringToUnicodeSize, RtlOemStringToUnicodeString, RtlOemToUnicodeN, RtlPinAtomInAtomTable, RtlPrefetchMemoryNonTemporal, RtlPrefixString, RtlPrefixUnicodeString, RtlQueryAtomInAtomTable, RtlQueryRegistryValues, RtlQueryTimeZoneInformation, RtlRaiseException, RtlRandom, RtlRandomEx, RtlRealPredecessor, RtlRealSuccessor, RtlRemoveUnicodePrefix, RtlReserveChunk, RtlSecondsSince1970ToTime, RtlSecondsSince1980ToTime, RtlSelfRelativeToAbsoluteSD, RtlSelfRelativeToAbsoluteSD2, RtlSetAllBits, RtlSetBit, RtlSetBits, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSetTimeZoneInformation, RtlSizeHeap, RtlSplay, RtlStringFromGUID, RtlSubAuthorityCountSid, RtlSubAuthoritySid, RtlSubtreePredecessor, RtlSubtreeSuccessor, RtlTestBit, RtlTimeFieldsToTime, RtlTimeToElapsedTimeFields, RtlTimeToSecondsSince1970, RtlTimeToSecondsSince1980, RtlTimeToTimeFields, RtlTraceDatabaseAdd, RtlTraceDatabaseCreate, RtlTraceDatabaseDestroy, RtlTraceDatabaseEnumerate, RtlTraceDatabaseFind, RtlTraceDatabaseLock, RtlTraceDatabaseUnlock, RtlTraceDatabaseValidate, RtlUlongByteSwap, RtlUlonglongByteSwap, RtlUnicodeStringToAnsiSize, RtlUnicodeStringToAnsiString, RtlUnicodeStringToCountedOemString, RtlUnicodeStringToInteger, RtlUnicodeStringToOemSize, RtlUnicodeStringToOemString, RtlUnicodeToCustomCPN, RtlUnicodeToMultiByteN, RtlUnicodeToMultiByteSize, RtlUnicodeToOemN, RtlUnlockBootStatusData, RtlUnwind, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, RtlUpcaseUnicodeStringToAnsiString, RtlUpcaseUnicodeStringToCountedOemString, RtlUpcaseUnicodeStringToOemString, RtlUpcaseUnicodeToCustomCPN, RtlUpcaseUnicodeToMultiByteN, RtlUpcaseUnicodeToOemN, RtlUpperChar, RtlUpperString, RtlUshortByteSwap, RtlValidRelativeSecurityDescriptor, RtlValidSecurityDescriptor, RtlValidSid, RtlVerifyVersionInfo, RtlVolumeDeviceToDosName, RtlWalkFrameChain, RtlWriteRegistryValue, RtlZeroHeap, RtlZeroMemory, RtlxAnsiStringToUnicodeSize, RtlxOemStringToUnicodeSize, RtlxUnicodeStringToAnsiSize, RtlxUnicodeStringToOemSize, SeAccessCheck, SeAppendPrivileges, SeAssignSecurity, SeAssignSecurityEx, SeAuditHardLinkCreation, SeAuditingFileEvents, SeAuditingFileEventsWithContext, SeAuditingFileOrGlobalEvents, SeAuditingHardLinkEvents, SeAuditingHardLinkEventsWithContext, SeCaptureSecurityDescriptor, SeCaptureSubjectContext, SeCloseObjectAuditAlarm, SeCreateAccessState, SeCreateClientSecurity, SeCreateClientSecurityFromSubjectContext, SeDeassignSecurity, SeDeleteAccessState, SeDeleteObjectAuditAlarm, SeExports, SeFilterToken, SeFreePrivileges, SeImpersonateClient, SeImpersonateClientEx, SeLockSubjectContext, SeMarkLogonSessionForTerminationNotification, SeOpenObjectAuditAlarm, SeOpenObjectForDeleteAuditAlarm, SePrivilegeCheck, SePrivilegeObjectAuditAlarm, SePublicDefaultDacl, SeQueryAuthenticationIdToken, SeQueryInformationToken, SeQuerySecurityDescriptorInfo, SeQuerySessionIdToken, SeRegisterLogonSessionTerminatedRoutine, SeReleaseSecurityDescriptor, SeReleaseSubjectContext, SeSetAccessStateGenericMapping, SeSetSecurityDescriptorInfo, SeSetSecurityDescriptorInfoEx, SeSinglePrivilegeCheck, SeSystemDefaultDacl, SeTokenImpersonationLevel, SeTokenIsAdmin, SeTokenIsRestricted, SeTokenIsWriteRestricted, SeTokenObjectType, SeTokenType, SeUnlockSubjectContext, SeUnregisterLogonSessionTerminatedRoutine, SeValidSecurityDescriptor, VerSetConditionMask, VfFailDeviceNode, VfFailDriver, VfFailSystemBIOS, VfIsVerificationEnabled, WRITE_REGISTER_BUFFER_UCHAR, WRITE_REGISTER_BUFFER_ULONG, WRITE_REGISTER_BUFFER_USHORT, WRITE_REGISTER_UCHAR, WRITE_REGISTER_ULONG, WRITE_REGISTER_USHORT, WmiFlushTrace, WmiGetClock, WmiQueryTrace, WmiQueryTraceInformation, WmiStartTrace, WmiStopTrace, WmiTraceMessage, WmiTraceMessageVa, WmiUpdateTrace, XIPDispatch, ZwAccessCheckAndAuditAlarm, ZwAddBootEntry, ZwAdjustPrivilegesToken, ZwAlertThread, ZwAllocateVirtualMemory, ZwAssignProcessToJobObject, ZwCancelIoFile, ZwCancelTimer, ZwClearEvent, ZwClose, ZwCloseObjectAuditAlarm, ZwConnectPort, ZwCreateDirectoryObject, ZwCreateEvent, ZwCreateFile, ZwCreateJobObject, ZwCreateKey, ZwCreateSection, ZwCreateSymbolicLinkObject, ZwCreateTimer, ZwDeleteBootEntry, ZwDeleteFile, ZwDeleteKey, ZwDeleteValueKey, ZwDeviceIoControlFile, ZwDisplayString, ZwDuplicateObject, ZwDuplicateToken, ZwEnumerateBootEntries, ZwEnumerateKey, ZwEnumerateValueKey, ZwFlushInstructionCache, ZwFlushKey, ZwFlushVirtualMemory, ZwFreeVirtualMemory, ZwFsControlFile, ZwInitiatePowerAction, ZwIsProcessInJob, ZwLoadDriver, ZwLoadKey, ZwMakeTemporaryObject, ZwMapViewOfSection, ZwNotifyChangeKey, ZwOpenDirectoryObject, ZwOpenEvent, ZwOpenFile, ZwOpenJobObject, ZwOpenKey, ZwOpenProcess, ZwOpenProcessToken, ZwOpenProcessTokenEx, ZwOpenSection, ZwOpenSymbolicLinkObject, ZwOpenThread, ZwOpenThreadToken, ZwOpenThreadTokenEx, ZwOpenTimer, ZwPowerInformation, ZwPulseEvent, ZwQueryBootEntryOrder, ZwQueryBootOptions, ZwQueryDefaultLocale, ZwQueryDefaultUILanguage, ZwQueryDirectoryFile, ZwQueryDirectoryObject, ZwQueryEaFile, ZwQueryFullAttributesFile, ZwQueryInformationFile, ZwQueryInformationJobObject, ZwQueryInformationProcess, ZwQueryInformationThread, ZwQueryInformationToken, ZwQueryInstallUILanguage, ZwQueryKey, ZwQueryObject, ZwQuerySection, ZwQuerySecurityObject, ZwQuerySymbolicLinkObject, ZwQuerySystemInformation, ZwQueryValueKey, ZwQueryVolumeInformationFile, ZwReadFile, ZwReplaceKey, ZwRequestWaitReplyPort, ZwResetEvent, ZwRestoreKey, ZwSaveKey, ZwSaveKeyEx, ZwSetBootEntryOrder, ZwSetBootOptions, ZwSetDefaultLocale, ZwSetDefaultUILanguage, ZwSetEaFile, ZwSetEvent, ZwSetInformationFile, ZwSetInformationJobObject, ZwSetInformationObject, ZwSetInformationProcess, ZwSetInformationThread, ZwSetSecurityObject, ZwSetSystemInformation, ZwSetSystemTime, ZwSetTimer, ZwSetValueKey, ZwSetVolumeInformationFile, ZwTerminateJobObject, ZwTerminateProcess, ZwTranslateFilePath, ZwUnloadDriver, ZwUnloadKey, ZwUnmapViewOfSection, ZwWaitForMultipleObjects, ZwWaitForSingleObject, ZwWriteFile, ZwYieldExecution, _CIcos, _CIsin, _CIsqrt, _abnormal_termination, _alldiv, _alldvrm, _allmul, _alloca_probe, _allrem, _allshl, _allshr, _aulldiv, _aulldvrm, _aullrem, _aullshr, _except_handler2, _except_handler3, _global_unwind2, _itoa, _itow, _local_unwind2, _purecall, _snprintf, _snwprintf, _stricmp, _strlwr, _strnicmp, _strnset, _strrev, _strset, _strupr, _vsnprintf, _vsnwprintf, _wcsicmp, _wcslwr, _wcsnicmp, _wcsnset, _wcsrev, _wcsupr, atoi, atol, isdigit, islower, isprint, isspace, isupper, isxdigit, mbstowcs, mbtowc, memchr, memcpy, memmove, memset, qsort, rand, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strspn, strstr, swprintf, tolower, toupper, towlower, towupper, vDbgPrintEx, vDbgPrintExWithPrefix, vsprintf, wcscat, wcschr, wcscmp, wcscpy, wcscspn, wcslen, wcsncat, wcsncmp, wcsncpy, wcsrchr, wcsspn, wcsstr, wcstombs, wctomb


Man. That's a pretty long log, compared to the other ones so far. Hope that helps clear things up!
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Kyossed

congratulations, your logs are clean and another fix is in the can :)

the file D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe is probably not infected, only 2 antivirus programs out of 35 picked up anything, so most likely a false positive. however, hearing where it came from does somewhat raise the chances of an infection. hence, for choice, i would delete it and empty the recycle bin.

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix and flush and reset your system restore point
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#15
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP