AVZ 4.32 http://z-oleg.com/secur/avz/
| File name | PID | Description | Copyright | MD5 | Information
| c:\users\Χρήστος\desktop\rapidshare tools\cryptload_1.1.6\cryptload.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3072 | CryptLoad | Copyright © shira - 2007 | ?? | 7576.99 kb, rsAh, | created: 28/11/2009 10:53:24 μμ, modified: 25/7/2009 1:30:49 πμ, name contains national symbols Command line: "C:\Users\Χρήστος\Desktop\Rapidshare Tools\CryptLoad_1.1.6\CryptLoad.exe" c:\windows\explorer.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1612 | Εξερεύνηση των Windows | © Microsoft Corporation. Με επιφύλαξη κάθε νόμιμου δικαιώματος. | ?? | 2552.00 kb, rsAh, | created: 27/11/2009 2:07:25 μμ, modified: 3/8/2009 7:35:50 πμ Command line: C:\Windows\Explorer.EXE c:\program files\malwarebytes' anti-malware\mbamservice.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3456 | Malwarebytes' Anti-Malware | © All rights reserved. | ?? | 270.33 kb, rsAh, | created: 5/12/2009 2:16:40 πμ, modified: 3/12/2009 4:14:02 μμ Command line: "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" c:\program files\windows media player\wmpnetwk.exe | Script: Quarantine, Delete, Delete via BC, Terminate 1168 | Windows Media Player Network Sharing Service | © Microsoft Corporation. All rights reserved. | ?? | 1095.00 kb, rsAh, | created: 2/11/2006 6:06:06 μμ, modified: 2/11/2006 6:06:06 μμ Command line: "C:\Program Files\Windows Media Player\wmpnetwk.exe" Detected:41, recognized as trusted 38
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\ari0smpp.SYS | Script: Quarantine, Delete, Delete via BC 90973000 | 039000 (233472) |
| C:\Windows\system32\DRIVERS\atapi.sys | Script: Quarantine, Delete, Delete via BC 8B08F000 | 009000 (36864) |
| C:\Windows\system32\DRIVERS\epfwwfpr.sys | Script: Quarantine, Delete, Delete via BC 9FCA0000 | 01A000 (106496) | ESET Personal Firewall driver | Copyright (c) ESET 1992-2009. All rights reserved.
| C:\Windows\system32\drivers\mbam.sys | Script: Quarantine, Delete, Delete via BC A36D4000 | 004000 (16384) | Malwarebytes' Anti-Malware | © All rights reserved.
| C:\Windows\System32\Drivers\spsm.sys | Script: Quarantine, Delete, Delete via BC 8369D000 | 0F3000 (995328) |
| Modules found - 182, recognized as trusted - 177
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| MBAMService | Service: Stop, Delete, Disable MBAMService | Running | C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe | Script: Quarantine, Delete, Delete via BC | MBAMProtector
| WMPNetworkSvc | Service: Stop, Delete, Disable Windows Media Player Network Sharing Service | Running | C:\Program Files\Windows Media Player\wmpnetwk.exe | Script: Quarantine, Delete, Delete via BC | http
| MSSQLServerADHelper | Service: Stop, Delete, Disable SQL Server Active Directory Helper | Not started | C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe | Script: Quarantine, Delete, Delete via BC |
| Detected - 155, recognized as trusted - 152
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| atapi | Driver: Unload, Delete, Disable Κανάλι IDE | Running | C:\Windows\system32\DRIVERS\atapi.sys | Script: Quarantine, Delete, Delete via BC SCSI Miniport |
| epfwwfpr | Driver: Unload, Delete, Disable epfwwfpr | Running | C:\Windows\system32\DRIVERS\epfwwfpr.sys | Script: Quarantine, Delete, Delete via BC |
| MBAMProtector | Driver: Unload, Delete, Disable MBAMProtector | Running | C:\Windows\system32\drivers\mbam.sys | Script: Quarantine, Delete, Delete via BC FSFilter Anti-Virus | FltMgr
| sptd | Driver: Unload, Delete, Disable sptd | Running | C:\Windows\System32\Drivers\sptd.sys | Script: Quarantine, Delete, Delete via BC Boot Bus Extender |
| Point32 | Driver: Unload, Delete, Disable Microsoft IntelliPoint Filter Driver | Not started | C:\Windows\system32\DRIVERS\point32k.sys | Script: Quarantine, Delete, Delete via BC Pointer Port |
| Detected - 249, recognized as trusted - 244
| | ||||||
| File name | Status | Startup method | Description
| C:\PROGRA~1\MICROS~3\Office12\1032\MAPIR.DLL | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Outlook, EventMessageFile | Delete C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Malwarebytes' Anti-Malware | Delete C:\Users\Χρήστος\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk | Script: Quarantine, Delete, Delete via BC Active | File in Startup folder | C:\Users\Χρήστος\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Χρήστος\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
| C:\Users\Χρήστος\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk | Script: Quarantine, Delete, Delete via BC Active | File in Startup folder | C:\Users\Χρήστος\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Χρήστος\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk,
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\Windows\system32\sshnas.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, LosAlamos | Delete C:\Windows\system32\sshnas.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run, LosAlamos | Delete C:\Windows\system32\vorbis.acm | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, msacm.vorbis | Delete C:\Windows\system32\xlive.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\XLive, EventMessageFile | Delete SDEvents.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile | Delete progman.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell | Delete vgafix.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items found - 575, recognized as trusted - 561
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {92780B25-18CC-41C8-B9BE-3C9C571A8263} | Delete Extension module | {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} | Delete Items found - 7, recognized as trusted - 4
| | |||||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| Groove GFS Browser Helper | {72853161-30C5-4D22-B7F9-0BBC1D38A37E} | Delete Items found - 28, recognized as trusted - 27
| | |||||||||
| File name | Type | Name | Description | Manufacturer
| Items found - 9, recognized as trusted - 9
| | ||||||
| File name | Job name | Job state | Description | Manufacturer
| C:\Windows\TEMP\b.exe | Script: Quarantine, Delete, Delete via BC {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job | The task is ready to run at its next scheduled time. |
| C:\Windows\TEMP\c.exe | Script: Quarantine, Delete, Delete via BC {66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job | The task is ready to run at its next scheduled time. |
| Items found - 2, recognized as trusted - 0
| | ||||||||
| Manufacturer | Status | EXE file | Description | GUID
| Detected - 7, recognized as trusted - 7
| | ||||||
| Manufacturer | EXE file | Description
| Detected - 20, recognized as trusted - 20
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Items found - 4, recognized as trusted - 4
| | ||||||
| File name | Description | Manufacturer
| Items found - 23, recognized as trusted - 23
| | ||||||
| File name | Description | Manufacturer | CLSID
| Items found - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| Items found - 20, recognized as trusted - 17
| | ||||||
| File | Description | Type
| C:\Documents and Settings\Χρήστος\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\megaupload.com\FineReader\result.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
| C:\Documents and Settings\Χρήστος\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\netload.in\FineReader\result.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
| C:\Program Files\BRS\UserLayout.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for AdvWare.Win32.Zango.aj ( 00862849 08CD5FC5 0024484A 001F8DA6 1638400)
| C:\Users\Χρήστος\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\megaupload.com\FineReader\result.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
| C:\Users\Χρήστος\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\netload.in\FineReader\result.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
| E:\My programmes\Backcolors\Project1.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for IM-Worm.Win32.VB.ao ( 0045BA24 00131D11 000BB7EB 0011EF64 20480)
| E:\My programmes\calculator\Calculator Version 1.1.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.Agent.aouc ( 004876B2 0029FAE2 0016ACC0 000440E0 40960)
| E:\My programmes\calculator\Calculator Version 1.1.rar | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.Agent.aouc ( 004876B2 0029FAE2 0016ACC0 000440E0 40960)
| E:\My programmes\calculator\Claculator Version 1.00.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.Agent.aouc ( 00479C8F 0029FAE2 0017DC66 000440E0 40960)
| E:\My programmes\My First Code\Project1.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for IM-Worm.Win32.VB.ao ( 00426395 00131D11 0011D6BB 00000000 20480)
| E:\My programmes\Text Programme\Project1.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for IM-Worm.Win32.VB.ao ( 0040D8C2 00131D11 000A0E9C 00000000 20480)
| E:\Playstation Portable\psp downloads\Work\PSPMillionaire_1[1].10.rar | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.Rebooter.b ( 004849A7 0057C422 00132372 00080885 40960)
| E:\Playstation Portable\psp-devhook 0.41d-backup\PSP\GAME\PSPMillionaire 1\Custom\PSP Millioniaire Question Adder.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.Rebooter.b ( 004849A7 0057C422 00132372 00080885 40960)
| E:\Τα εγγραφά μου\Παιχνίδια\san andreas\Downloads\Tools\carspawner.zip | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan-Downloader.Win32.VB.eu ( 0044CCC8 001B74A5 000AF5E6 0021CA6C 32768)
| E:\Τα εγγραφά μου\Παιχνίδια\san andreas\Downloads\Tools\GTA-SA.CarSpawn-Trainer v1.1.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan-Downloader.Win32.VB.eu ( 0044CCC8 001B74A5 000AF5E6 0021CA6C 32768)
| F:\Program Files\Game Trainer Studio\! Extra\Pacman\Trainer.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan-Downloader.Win32.Agent.aqs ( 09B1C8EC 062FE7FA 0001ACB4 00000000 6656)
| F:\Program Files\Game Trainer Studio\Output\Mafia.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan-Downloader.Win32.Agent.aqs ( 09B1C8EC 062FE7FA 0001ACB4 00000000 6656)
| F:\PSP-20-3-09 Backup\PSP\GAME150\PSPMillionaire 1\Custom\PSP Millioniaire Question Adder.exe | Script: Quarantine, Delete, Delete via BC Suspicion by File scanner | Suspicion for Trojan.Win32.Rebooter.b ( 004849A7 0057C422 00132372 00080885 40960)
| |
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 18/12/2009 8:46:15 ??
Database loaded: signatures - 254478, NN profile(s) - 2, malware removal microprograms - 56, signature database released 17.12.2009 18:18
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 161328
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7600, ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:AddMandatoryAce (1029) intercepted, method - ProcAddressHijack.GetProcAddress ->775624B5->75AE193A
Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method - ProcAddressHijack.GetProcAddress ->77562655->772172D8
Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method - ProcAddressHijack.GetProcAddress ->7756268C->7721733F
Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method - ProcAddressHijack.GetProcAddress ->775626C3->77217C40
Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method - ProcAddressHijack.GetProcAddress ->775626FA->77215F8A
Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method - ProcAddressHijack.GetProcAddress ->77562732->77215E7D
Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method - ProcAddressHijack.GetProcAddress ->77562766->772171C5
Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method - ProcAddressHijack.GetProcAddress ->77562799->77216B9D
Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method - ProcAddressHijack.GetProcAddress ->775627D1->75AD977E
Function advapi32.dll:PerfCreateInstance (1515) intercepted, method - ProcAddressHijack.GetProcAddress ->77562858->74FA2187
Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method - ProcAddressHijack.GetProcAddress ->77562871->74FA2A1D
Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method - ProcAddressHijack.GetProcAddress ->77562896->74FA2B3C
Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method - ProcAddressHijack.GetProcAddress ->775628BF->74FA2259
Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method - ProcAddressHijack.GetProcAddress ->775628D8->74FA27B9
Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method - ProcAddressHijack.GetProcAddress ->775628FD->74FA28D6
Function advapi32.dll:PerfQueryInstance (1528) intercepted, method - ProcAddressHijack.GetProcAddress ->77562926->74FA2373
Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method - ProcAddressHijack.GetProcAddress ->7756293E->74FA2447
Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method - ProcAddressHijack.GetProcAddress ->7756295B->74FA20B0
Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->77562977->74FA2565
Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method - ProcAddressHijack.GetProcAddress ->77562996->74FA2680
Function advapi32.dll:PerfStartProvider (1533) intercepted, method - ProcAddressHijack.GetProcAddress ->775629B9->74FA1FED
Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method - ProcAddressHijack.GetProcAddress ->775629D1->74FA1F34
Function advapi32.dll:PerfStopProvider (1535) intercepted, method - ProcAddressHijack.GetProcAddress ->775629EB->74FA2026
Function advapi32.dll:SystemFunction035 (1753) intercepted, method - ProcAddressHijack.GetProcAddress ->77562A3C->75413EA8
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:DavAddConnection (1) intercepted, method - ProcAddressHijack.GetProcAddress ->74133B10->747F29DD
Function netapi32.dll:DavDeleteConnection (2) intercepted, method - ProcAddressHijack.GetProcAddress ->74133B29->747F181B
Function netapi32.dll:DavFlushFile (3) intercepted, method - ProcAddressHijack.GetProcAddress ->74133B45->747F1713
Function netapi32.dll:DavGetExtendedError (4) intercepted, method - ProcAddressHijack.GetProcAddress ->74133B5A->747F2347
Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method - ProcAddressHijack.GetProcAddress ->74133B76->747F275B
Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method - ProcAddressHijack.GetProcAddress ->74133B94->747F257D
Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method - ProcAddressHijack.GetProcAddress ->74133BB2->75274A4D
Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method - ProcAddressHijack.GetProcAddress ->74133BD1->75274D79
Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method - ProcAddressHijack.GetProcAddress ->74133BF2->75275049
Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method - ProcAddressHijack.GetProcAddress ->74133C13->75274C29
Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method - ProcAddressHijack.GetProcAddress ->74133C32->75276DD9
Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method - ProcAddressHijack.GetProcAddress ->74133C57->75276D59
Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method - ProcAddressHijack.GetProcAddress ->74133C7C->75276771
Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method - ProcAddressHijack.GetProcAddress ->74133C9E->752660BC
Function netapi32.dll:DsGetDcCloseW (15) intercepted, method - ProcAddressHijack.GetProcAddress ->74133CC0->7527495D
Function netapi32.dll:DsGetDcNameA (16) intercepted, method - ProcAddressHijack.GetProcAddress ->74133CD7->75275BB2
Function netapi32.dll:DsGetDcNameW (17) intercepted, method - ProcAddressHijack.GetProcAddress ->74133CED->75264CA8
Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D03->752755E9
Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D24->75264CD1
Function netapi32.dll:DsGetDcNextA (20) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D45->75274896
Function netapi32.dll:DsGetDcNextW (21) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D5B->752747ED
Function netapi32.dll:DsGetDcOpenA (22) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D71->7527473D
Function netapi32.dll:DsGetDcOpenW (23) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D87->752746AB
Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method - ProcAddressHijack.GetProcAddress ->74133D9D->75275239
Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method - ProcAddressHijack.GetProcAddress ->74133DBB->75275409
Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method - ProcAddressHijack.GetProcAddress ->74133DD9->75276E6F
Function netapi32.dll:DsGetSiteNameA (27) intercepted, method - ProcAddressHijack.GetProcAddress ->74133DFF->75275B39
Function netapi32.dll:DsGetSiteNameW (28) intercepted, method - ProcAddressHijack.GetProcAddress ->74133E17->75265F24
Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method - ProcAddressHijack.GetProcAddress ->74133E2F->75276F71
Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method - ProcAddressHijack.GetProcAddress ->74133E57->73C64339
Function netapi32.dll:DsRoleCancel (31) intercepted, method - ProcAddressHijack.GetProcAddress ->74133E80->73C634A9
Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method - ProcAddressHijack.GetProcAddress ->74133E94->73C63EAD
Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method - ProcAddressHijack.GetProcAddress ->74133EA8->73C63F99
Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method - ProcAddressHijack.GetProcAddress ->74133EC1->73C64189
Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method - ProcAddressHijack.GetProcAddress ->74133ED7->73C632B5
Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method - ProcAddressHijack.GetProcAddress ->74133EF6->73C619A9
Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method - ProcAddressHijack.GetProcAddress ->74133F0E->73C63651
Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method - ProcAddressHijack.GetProcAddress ->74133F2C->73C63351
Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method - ProcAddressHijack.GetProcAddress ->74133F50->73C63401
Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method - ProcAddressHijack.GetProcAddress ->74133F73->73C61F3D
Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method - ProcAddressHijack.GetProcAddress ->74133F9C->73C63539
Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method - ProcAddressHijack.GetProcAddress ->74133FB7->73C635C9
Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method - ProcAddressHijack.GetProcAddress ->74133FDE->73C64261
Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method - ProcAddressHijack.GetProcAddress ->74134002->75275AF9
Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method - ProcAddressHijack.GetProcAddress ->74134021->752749E1
Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method - ProcAddressHijack.GetProcAddress ->74134040->740724A9
Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method - ProcAddressHijack.GetProcAddress ->7413405B->74072581
Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method - ProcAddressHijack.GetProcAddress ->74134077->740729F9
Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method - ProcAddressHijack.GetProcAddress ->7413409D->740722C1
Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method - ProcAddressHijack.GetProcAddress ->741340C0->74072651
Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method - ProcAddressHijack.GetProcAddress ->741340E1->740723D1
Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method - ProcAddressHijack.GetProcAddress ->74134105->74072729
Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method - ProcAddressHijack.GetProcAddress ->74134126->740720BF
Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method - ProcAddressHijack.GetProcAddress ->74134142->74072919
Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method - ProcAddressHijack.GetProcAddress ->74134164->75275569
Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method - ProcAddressHijack.GetProcAddress ->74134190->752763AB
Function netapi32.dll:I_NetAccountSync (57) intercepted, method - ProcAddressHijack.GetProcAddress ->741341AC->752763AB
Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method - ProcAddressHijack.GetProcAddress ->741341C6->75276FA6
Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method - ProcAddressHijack.GetProcAddress ->741341ED->75277029
Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method - ProcAddressHijack.GetProcAddress ->74134215->75276391
Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method - ProcAddressHijack.GetProcAddress ->74134232->75276521
Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method - ProcAddressHijack.GetProcAddress ->7413424D->75276391
Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method - ProcAddressHijack.GetProcAddress ->74134268->7527639E
Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method - ProcAddressHijack.GetProcAddress ->74134284->755B7CA1
Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method - ProcAddressHijack.GetProcAddress ->7413429E->72BD4E39
Function netapi32.dll:I_NetGetDCList (66) intercepted, method - ProcAddressHijack.GetProcAddress ->741342BF->75275D9C
Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method - ProcAddressHijack.GetProcAddress ->741342D7->75276EF1
Function netapi32.dll:I_NetLogonControl (69) intercepted, method - ProcAddressHijack.GetProcAddress ->741342FF->752763B8
Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method - ProcAddressHijack.GetProcAddress ->7413431A->75276439
Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method - ProcAddressHijack.GetProcAddress ->74134336->752664A4
Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method - ProcAddressHijack.GetProcAddress ->74134357->75276091
Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method - ProcAddressHijack.GetProcAddress ->74134374->75275F39
Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method - ProcAddressHijack.GetProcAddress ->74134390->75275FE1
Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method - ProcAddressHijack.GetProcAddress ->741343AE->7526B22A
Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method - ProcAddressHijack.GetProcAddress ->741343D3->75276111
Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method - ProcAddressHijack.GetProcAddress ->741343F0->75275EC9
Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method - ProcAddressHijack.GetProcAddress ->7413440D->75275E53
Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method - ProcAddressHijack.GetProcAddress ->74134429->75276191
Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method - ProcAddressHijack.GetProcAddress ->7413444A->75276211
Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method - ProcAddressHijack.GetProcAddress ->7413446C->75266393
Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method - ProcAddressHijack.GetProcAddress ->7413448E->75276C61
Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method - ProcAddressHijack.GetProcAddress ->741344AF->75276B61
Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method - ProcAddressHijack.GetProcAddress ->741344CF->75276291
Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method - ProcAddressHijack.GetProcAddress ->741344EF->75276311
Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method - ProcAddressHijack.GetProcAddress ->74134510->75266424
Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method - ProcAddressHijack.GetProcAddress ->74134531->755B426D
Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method - ProcAddressHijack.GetProcAddress ->74134552->755B6D11
Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method - ProcAddressHijack.GetProcAddress ->74134575->75276BE1
Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method - ProcAddressHijack.GetProcAddress ->7413459B->75265C20
Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method - ProcAddressHijack.GetProcAddress ->741345C2->75276AEC
Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method - ProcAddressHijack.GetProcAddress ->741345E9->74115B21
Function netapi32.dll:NetAddServiceAccount (98) intercepted, method - ProcAddressHijack.GetProcAddress ->7413460C->752770B1
Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method - ProcAddressHijack.GetProcAddress ->7413462A->74121415
Function netapi32.dll:NetApiBufferFree (102) intercepted, method - ProcAddressHijack.GetProcAddress ->74134648->741213D2
Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method - ProcAddressHijack.GetProcAddress ->74134662->74123729
Function netapi32.dll:NetApiBufferSize (104) intercepted, method - ProcAddressHijack.GetProcAddress ->74134682->74123771
Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method - ProcAddressHijack.GetProcAddress ->7413469C->74072801
Function netapi32.dll:NetConnectionEnum (112) intercepted, method - ProcAddressHijack.GetProcAddress ->741346BC->755B5521
Function netapi32.dll:NetDfsAdd (113) intercepted, method - ProcAddressHijack.GetProcAddress ->741346D5->72BD78FD
Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method - ProcAddressHijack.GetProcAddress ->741346E6->72BD6859
Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method - ProcAddressHijack.GetProcAddress ->741346FD->72BD7401
Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method - ProcAddressHijack.GetProcAddress ->74134718->72BD2B1E
Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method - ProcAddressHijack.GetProcAddress ->74134730->72BD2BB1
Function netapi32.dll:NetDfsEnum (118) intercepted, method - ProcAddressHijack.GetProcAddress ->7413474E->72BD70F9
Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method - ProcAddressHijack.GetProcAddress ->74134760->72BD3F25
Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method - ProcAddressHijack.GetProcAddress ->7413477B->72BD2C51
Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method - ProcAddressHijack.GetProcAddress ->74134795->72BD5363
Function netapi32.dll:NetDfsGetInfo (122) intercepted, method - ProcAddressHijack.GetProcAddress ->741347B9->72BD2D69
Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method - ProcAddressHijack.GetProcAddress ->741347CE->72BD7741
Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method - ProcAddressHijack.GetProcAddress ->741347E7->72BD3AD5
Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method - ProcAddressHijack.GetProcAddress ->7413480C->72BD5C19
Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method - ProcAddressHijack.GetProcAddress ->74134836->72BD2E9C
Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method - ProcAddressHijack.GetProcAddress ->74134858->72BD2F91
Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method - ProcAddressHijack.GetProcAddress ->74134877->72BD72C5
Function netapi32.dll:NetDfsMove (129) intercepted, method - ProcAddressHijack.GetProcAddress ->74134898->72BD5651
Function netapi32.dll:NetDfsRemove (130) intercepted, method - ProcAddressHijack.GetProcAddress ->741348AA->72BD7A19
Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method - ProcAddressHijack.GetProcAddress ->741348BE->72BD6A99
Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method - ProcAddressHijack.GetProcAddress ->741348D8->72BD6BE5
Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method - ProcAddressHijack.GetProcAddress ->741348F8->72BD5879
Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method - ProcAddressHijack.GetProcAddress ->74134916->72BD2CE1
Function netapi32.dll:NetDfsRename (135) intercepted, method - ProcAddressHijack.GetProcAddress ->74134931->72BD2E91
Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method - ProcAddressHijack.GetProcAddress ->74134945->72BD4301
Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method - ProcAddressHijack.GetProcAddress ->74134960->72BD53AF
Function netapi32.dll:NetDfsSetInfo (138) intercepted, method - ProcAddressHijack.GetProcAddress ->74134984->72BD6D8B
Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method - ProcAddressHijack.GetProcAddress ->74134999->72BD7822
Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method - ProcAddressHijack.GetProcAddress ->741349B2->72BD3B24
Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method - ProcAddressHijack.GetProcAddress ->741349D7->74115E39
Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method - ProcAddressHijack.GetProcAddress ->741349F8->75277199
Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method - ProcAddressHijack.GetProcAddress ->74134A1D->7527652E
Function netapi32.dll:NetFileClose (147) intercepted, method - ProcAddressHijack.GetProcAddress ->74134A41->755B5659
Function netapi32.dll:NetFileEnum (148) intercepted, method - ProcAddressHijack.GetProcAddress ->74134A55->755B5729
Function netapi32.dll:NetFileGetInfo (149) intercepted, method - ProcAddressHijack.GetProcAddress ->74134A68->755B5859
Function netapi32.dll:NetGetAnyDCName (150) intercepted, method - ProcAddressHijack.GetProcAddress ->74134A7E->7527496D
Function netapi32.dll:NetGetDCName (151) intercepted, method - ProcAddressHijack.GetProcAddress ->74134A97->75275913
Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method - ProcAddressHijack.GetProcAddress ->74134AAD->74104117
Function netapi32.dll:NetGetJoinInformation (153) intercepted, method - ProcAddressHijack.GetProcAddress ->74134AD2->74112DC7
Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method - ProcAddressHijack.GetProcAddress ->74134AEF->741159D1
Function netapi32.dll:NetGroupAdd (155) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B08->741071C3
Function netapi32.dll:NetGroupAddUser (156) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B1B->741073AD
Function netapi32.dll:NetGroupDel (157) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B32->741073CB
Function netapi32.dll:NetGroupDelUser (158) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B45->741073EB
Function netapi32.dll:NetGroupEnum (159) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B5C->74107409
Function netapi32.dll:NetGroupGetInfo (160) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B70->741078C8
Function netapi32.dll:NetGroupGetUsers (161) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B87->74107952
Function netapi32.dll:NetGroupSetInfo (162) intercepted, method - ProcAddressHijack.GetProcAddress ->74134B9F->74107C02
Function netapi32.dll:NetGroupSetUsers (163) intercepted, method - ProcAddressHijack.GetProcAddress ->74134BB6->74107DAE
Function netapi32.dll:NetIsServiceAccount (164) intercepted, method - ProcAddressHijack.GetProcAddress ->74134BCE->752772D9
Function netapi32.dll:NetJoinDomain (165) intercepted, method - ProcAddressHijack.GetProcAddress ->74134BEB->741154B9
Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method - ProcAddressHijack.GetProcAddress ->74134C00->7410875A
Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method - ProcAddressHijack.GetProcAddress ->74134C18->74108886
Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method - ProcAddressHijack.GetProcAddress ->74134C36->74108E99
Function netapi32.dll:NetLocalGroupDel (169) intercepted, method - ProcAddressHijack.GetProcAddress ->74134C55->741088A4
Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method - ProcAddressHijack.GetProcAddress ->74134C6D->74108928
Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method - ProcAddressHijack.GetProcAddress ->74134C8B->74108EBD
Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method - ProcAddressHijack.GetProcAddress ->74134CAA->74108946
Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method - ProcAddressHijack.GetProcAddress ->74134CC3->74108CE4
Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method - ProcAddressHijack.GetProcAddress ->74134CDF->74102265
Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method - ProcAddressHijack.GetProcAddress ->74134CFE->74108D57
Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method - ProcAddressHijack.GetProcAddress ->74134D1A->74108E75
Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method - ProcAddressHijack.GetProcAddress ->74134D39->75276CE9
Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method - ProcAddressHijack.GetProcAddress ->74134D65->7526603C
Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method - ProcAddressHijack.GetProcAddress ->74134D85->754FF2D3
Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method - ProcAddressHijack.GetProcAddress ->74134DA9->74103D87
Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method - ProcAddressHijack.GetProcAddress ->74134DCB->75277249
Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method - ProcAddressHijack.GetProcAddress ->74134DEB->74122160
Function netapi32.dll:NetRemoteTOD (189) intercepted, method - ProcAddressHijack.GetProcAddress ->74134E0E->755B6C11
Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method - ProcAddressHijack.GetProcAddress ->74134E22->74115C29
Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method - ProcAddressHijack.GetProcAddress ->74134E48->75277129
Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method - ProcAddressHijack.GetProcAddress ->74134E69->74115751
Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method - ProcAddressHijack.GetProcAddress ->74134E89->754FB52F
Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method - ProcAddressHijack.GetProcAddress ->74134EAD->6DC319D1
Function netapi32.dll:NetScheduleJobDel (210) intercepted, method - ProcAddressHijack.GetProcAddress ->74134EC8->6DC31AC9
Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method - ProcAddressHijack.GetProcAddress ->74134EE3->6DC31BC1
Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method - ProcAddressHijack.GetProcAddress ->74134EFF->6DC31CE1
Function netapi32.dll:NetServerAliasAdd (213) intercepted, method - ProcAddressHijack.GetProcAddress ->74134F1E->755B7843
Function netapi32.dll:NetServerAliasDel (214) intercepted, method - ProcAddressHijack.GetProcAddress ->74134F37->755B7A79
Function netapi32.dll:NetServerAliasEnum (215) intercepted, method - ProcAddressHijack.GetProcAddress ->74134F50->755B7931
Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method - ProcAddressHijack.GetProcAddress ->74134F6A->755B7411
Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method - ProcAddressHijack.GetProcAddress ->74134F8A->755B76FB
Function netapi32.dll:NetServerDiskEnum (218) intercepted, method - ProcAddressHijack.GetProcAddress ->74134FAA->755B6559
Function netapi32.dll:NetServerEnum (219) intercepted, method - ProcAddressHijack.GetProcAddress ->74134FC3->74072F61
Function netapi32.dll:NetServerEnumEx (220) intercepted, method - ProcAddressHijack.GetProcAddress ->74134FD9->74072C5F
Function netapi32.dll:NetServerGetInfo (221) intercepted, method - ProcAddressHijack.GetProcAddress ->74134FF1->755B3CFA
Function netapi32.dll:NetServerSetInfo (222) intercepted, method - ProcAddressHijack.GetProcAddress ->74135009->755B6681
Function netapi32.dll:NetServerTransportAdd (223) intercepted, method - ProcAddressHijack.GetProcAddress ->74135021->755B6851
Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method - ProcAddressHijack.GetProcAddress ->7413503E->755B7329
Function netapi32.dll:NetServerTransportDel (225) intercepted, method - ProcAddressHijack.GetProcAddress ->7413505D->755B6A01
Function netapi32.dll:NetServerTransportEnum (226) intercepted, method - ProcAddressHijack.GetProcAddress ->7413507A->755B6AD9
Function netapi32.dll:NetSessionDel (231) intercepted, method - ProcAddressHijack.GetProcAddress ->74135098->755B5941
Function netapi32.dll:NetSessionEnum (232) intercepted, method - ProcAddressHijack.GetProcAddress ->741350AD->755B5A11
Function netapi32.dll:NetSessionGetInfo (233) intercepted, method - ProcAddressHijack.GetProcAddress ->741350C3->755B5B41
Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method - ProcAddressHijack.GetProcAddress ->741350DC->74115D31
Function netapi32.dll:NetShareAdd (235) intercepted, method - ProcAddressHijack.GetProcAddress ->741350FD->755B5C81
Function netapi32.dll:NetShareCheck (236) intercepted, method - ProcAddressHijack.GetProcAddress ->74135110->755B5E91
Function netapi32.dll:NetShareDel (237) intercepted, method - ProcAddressHijack.GetProcAddress ->74135125->755B5F81
Function netapi32.dll:NetShareDelEx (238) intercepted, method - ProcAddressHijack.GetProcAddress ->74135138->755B7B61
Function netapi32.dll:NetShareDelSticky (239) intercepted, method - ProcAddressHijack.GetProcAddress ->7413514D->755B60D1
Function netapi32.dll:NetShareEnum (240) intercepted, method - ProcAddressHijack.GetProcAddress ->74135166->755B3F91
Function netapi32.dll:NetShareEnumSticky (241) intercepted, method - ProcAddressHijack.GetProcAddress ->7413517A->755B61C9
Function netapi32.dll:NetShareGetInfo (242) intercepted, method - ProcAddressHijack.GetProcAddress ->74135194->755B433F
Function netapi32.dll:NetShareSetInfo (243) intercepted, method - ProcAddressHijack.GetProcAddress ->741351AB->755B6341
Function netapi32.dll:NetUnjoinDomain (245) intercepted, method - ProcAddressHijack.GetProcAddress ->741351C2->74115641
Function netapi32.dll:NetUseAdd (247) intercepted, method - ProcAddressHijack.GetProcAddress ->741351D9->74113693
Function netapi32.dll:NetUseDel (248) intercepted, method - ProcAddressHijack.GetProcAddress ->741351EA->74115FA9
Function netapi32.dll:NetUseEnum (249) intercepted, method - ProcAddressHijack.GetProcAddress ->741351FB->74113184
Function netapi32.dll:NetUseGetInfo (250) intercepted, method - ProcAddressHijack.GetProcAddress ->7413520D->74116039
Function netapi32.dll:NetUserAdd (251) intercepted, method - ProcAddressHijack.GetProcAddress ->74135222->7410464F
Function netapi32.dll:NetUserChangePassword (252) intercepted, method - ProcAddressHijack.GetProcAddress ->74135234->74105A06
Function netapi32.dll:NetUserDel (253) intercepted, method - ProcAddressHijack.GetProcAddress ->74135251->74104826
Function netapi32.dll:NetUserEnum (254) intercepted, method - ProcAddressHijack.GetProcAddress ->74135263->741049D6
Function netapi32.dll:NetUserGetGroups (255) intercepted, method - ProcAddressHijack.GetProcAddress ->74135276->74104E01
Function netapi32.dll:NetUserGetInfo (256) intercepted, method - ProcAddressHijack.GetProcAddress ->7413528E->74101C60
Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method - ProcAddressHijack.GetProcAddress ->741352A4->74102875
Function netapi32.dll:NetUserModalsGet (258) intercepted, method - ProcAddressHijack.GetProcAddress ->741352C1->7410206B
Function netapi32.dll:NetUserModalsSet (259) intercepted, method - ProcAddressHijack.GetProcAddress ->741352D9->741054AA
Function netapi32.dll:NetUserSetGroups (260) intercepted, method - ProcAddressHijack.GetProcAddress ->741352F1->74105095
Function netapi32.dll:NetUserSetInfo (261) intercepted, method - ProcAddressHijack.GetProcAddress ->74135309->74104D1D
Function netapi32.dll:NetValidateName (262) intercepted, method - ProcAddressHijack.GetProcAddress ->7413531F->74115859
Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method - ProcAddressHijack.GetProcAddress ->74135336->74109967
Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method - ProcAddressHijack.GetProcAddress ->74135357->74109B6B
Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method - ProcAddressHijack.GetProcAddress ->7413537C->74114E45
Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method - ProcAddressHijack.GetProcAddress ->74135398->74114F21
Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method - ProcAddressHijack.GetProcAddress ->741353B4->74114CF9
Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method - ProcAddressHijack.GetProcAddress ->741353D1->74114AD1
Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method - ProcAddressHijack.GetProcAddress ->741353E9->74113280
Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method - ProcAddressHijack.GetProcAddress ->74135404->74114C15
Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method - ProcAddressHijack.GetProcAddress ->7413541F->741237AA
Function netapi32.dll:NetpIsRemote (289) intercepted, method - ProcAddressHijack.GetProcAddress ->7413543E->7412382D
Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method - ProcAddressHijack.GetProcAddress ->74135454->74121C30
Function netapi32.dll:NetpwNameCompare (297) intercepted, method - ProcAddressHijack.GetProcAddress ->74135473->74121F2E
Function netapi32.dll:NetpwNameValidate (298) intercepted, method - ProcAddressHijack.GetProcAddress ->7413548D->74121990
Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method - ProcAddressHijack.GetProcAddress ->741354A8->7412275D
Function netapi32.dll:NetpwPathCompare (300) intercepted, method - ProcAddressHijack.GetProcAddress ->741354C7->74124086
Function netapi32.dll:NetpwPathType (301) intercepted, method - ProcAddressHijack.GetProcAddress ->741354E1->74122533
Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method - ProcAddressHijack.GetProcAddress ->741354F8->752661F8
Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method - ProcAddressHijack.GetProcAddress ->7413551B->75265D67
Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method - ProcAddressHijack.GetProcAddress ->74135543->75266198
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=1689C0)
Kernel ntkrnlpa.exe found in memory at address 82A00000
SDT = 82B689C0
KiST = 82A6F6F0 (401)
Functions checked: 401, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
CmpCallCallBacks = 00000000
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 855811F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 855811F8 -> hook not defined
Checking - complete
2. Scanning RAM
Number of processes found: 43
Number of modules loaded: 537
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Documents and Settings\All Users\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Documents and Settings\All Users\Microsoft\RAC\Temp\sql362F.tmp
C:\Documents and Settings\???????\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\megaupload.com\FineReader\result.exe >>> suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
C:\Documents and Settings\???????\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\netload.in\FineReader\result.exe >>> suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
C:\Program Files\BRS\UserLayout.exe >>> suspicion for AdvWare.Win32.Zango.aj ( 00862849 08CD5FC5 0024484A 001F8DA6 1638400)
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\ProgramData\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\ProgramData\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Application Data\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Application Data\Microsoft\RAC\Temp\sql362F.tmp
Direct reading: C:\Users\All Users\Microsoft\RAC\Temp\sql3301.tmp
Direct reading: C:\Users\All Users\Microsoft\RAC\Temp\sql362F.tmp
C:\Users\???????\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\megaupload.com\FineReader\result.exe >>> suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
File quarantined succesfully (C:\Users\???????\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\megaupload.com\FineReader\result.exe)
C:\Users\???????\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\netload.in\FineReader\result.exe >>> suspicion for Trojan.Win32.VB.izh ( 00449025 001B74A5 000ECA48 00000000 16384)
File quarantined succesfully (C:\Users\???????\Desktop\Rapidshare Tools\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4-ELL\CryptLoad_1.0.4\ocr\netload.in\FineReader\result.exe)
Direct reading: C:\Users\???????\Local Settings\Application Data\Application Data\Application Data\Temp\fla341C.tmp
Direct reading: C:\Windows\System32\drivers\sptd.sys
Direct reading: C:\Windows\Temp\HTT5B9A.tmp
Direct reading: C:\Windows\Temp\HTTD542.tmp
E:\My programmes\Backcolors\Project1.exe >>> suspicion for IM-Worm.Win32.VB.ao ( 0045BA24 00131D11 000BB7EB 0011EF64 20480)
File quarantined succesfully (E:\My programmes\Backcolors\Project1.exe)
E:\My programmes\calculator\Calculator Version 1.1.exe >>> suspicion for Trojan.Win32.Agent.aouc ( 004876B2 0029FAE2 0016ACC0 000440E0 40960)
File quarantined succesfully (E:\My programmes\calculator\Calculator Version 1.1.exe)
E:\My programmes\calculator\Calculator Version 1.1.rar/{RAR}/Calculator Version 1.1.exe >>> suspicion for Trojan.Win32.Agent.aouc ( 004876B2 0029FAE2 0016ACC0 000440E0 40960)
File quarantined succesfully (E:\My programmes\calculator\Calculator Version 1.1.rar)
E:\My programmes\calculator\Claculator Version 1.00.exe >>> suspicion for Trojan.Win32.Agent.aouc ( 00479C8F 0029FAE2 0017DC66 000440E0 40960)
File quarantined succesfully (E:\My programmes\calculator\Claculator Version 1.00.exe)
E:\My programmes\My First Code\Project1.exe >>> suspicion for IM-Worm.Win32.VB.ao ( 00426395 00131D11 0011D6BB 00000000 20480)
File quarantined succesfully (E:\My programmes\My First Code\Project1.exe)
E:\My programmes\Text Programme\Project1.exe >>> suspicion for IM-Worm.Win32.VB.ao ( 0040D8C2 00131D11 000A0E9C 00000000 20480)
File quarantined succesfully (E:\My programmes\Text Programme\Project1.exe)
E:\Playstation Portable\psp downloads\Work\PSPMillionaire_1[1].10.rar/{RAR}/PSPMillionaire\Custom\PSP Millioniaire Question Adder.exe >>> suspicion for Trojan.Win32.Rebooter.b ( 004849A7 0057C422 00132372 00080885 40960)
File quarantined succesfully (E:\Playstation Portable\psp downloads\Work\PSPMillionaire_1[1].10.rar)
E:\Playstation Portable\psp-devhook 0.41d-backup\PSP\GAME\PSPMillionaire 1\Custom\PSP Millioniaire Question Adder.exe >>> suspicion for Trojan.Win32.Rebooter.b ( 004849A7 0057C422 00132372 00080885 40960)
File quarantined succesfully (E:\Playstation Portable\psp-devhook 0.41d-backup\PSP\GAME\PSPMillionaire 1\Custom\PSP Millioniaire Question Adder.exe)
Direct reading: E:\?? ??????? ???\I??????? ??????????\tanoulitsa1992@hotmail.com\?????????? 2009.html
E:\?? ??????? ???\?????????\san andreas\Downloads\Tools\carspawner.zip/{ZIP}/GTA-SA.CarSpawn-Trainer v1.1.exe >>> suspicion for Trojan-Downloader.Win32.VB.eu ( 0044CCC8 001B74A5 000AF5E6 0021CA6C 32768)
File quarantined succesfully (E:\?? ??????? ???\?????????\san andreas\Downloads\Tools\carspawner.zip)
E:\?? ??????? ???\?????????\san andreas\Downloads\Tools\GTA-SA.CarSpawn-Trainer v1.1.exe >>> suspicion for Trojan-Downloader.Win32.VB.eu ( 0044CCC8 001B74A5 000AF5E6 0021CA6C 32768)
File quarantined succesfully (E:\?? ??????? ???\?????????\san andreas\Downloads\Tools\GTA-SA.CarSpawn-Trainer v1.1.exe)
F:\Program Files\Game Trainer Studio\! Extra\Pacman\Trainer.exe >>> suspicion for Trojan-Downloader.Win32.Agent.aqs ( 09B1C8EC 062FE7FA 0001ACB4 00000000 6656)
File quarantined succesfully (F:\Program Files\Game Trainer Studio\! Extra\Pacman\Trainer.exe)
F:\Program Files\Game Trainer Studio\Output\Mafia.exe >>> suspicion for Trojan-Downloader.Win32.Agent.aqs ( 09B1C8EC 062FE7FA 0001ACB4 00000000 6656)
File quarantined succesfully (F:\Program Files\Game Trainer Studio\Output\Mafia.exe)
F:\PSP-20-3-09 Backup\PSP\GAME150\PSPMillionaire 1\Custom\PSP Millioniaire Question Adder.exe >>> suspicion for Trojan.Win32.Rebooter.b ( 004849A7 0057C422 00132372 00080885 40960)
File quarantined succesfully (F:\PSP-20-3-09 Backup\PSP\GAME150\PSPMillionaire 1\Custom\PSP Millioniaire Question Adder.exe)
Direct reading: G:\4c973afbcf8db016533f088cef\update\update.exe
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
Checking - disabled by user
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> Process termination timeout is out of admissible values
>> Service termination timeout is out of admissible values
>> Timeout of "Not Responding" verdict for processes is out of admissible values
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
>> Start -> Run menu item is blocked
Checking - complete
Files scanned: 905483, extracted from archives: 214868, malicious software found 0, suspicions - 18
Scanning finished at 18/12/2009 10:33:05 ??
Time of scanning: 01:46:51
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
Script commands
Add commands to script: