AVZ 4.32 http://z-oleg.com/secur/avz/
| File name | PID | Description | Copyright | MD5 | Information
| c:\program files\malwarebytes' anti-malware\mbamservice.exe | Script: Quarantine, Delete, Delete via BC, Terminate 4012 | Malwarebytes' Anti-Malware | © All rights reserved. | ?? | 270.33 kb, rsAh, | created: 5/12/2009 2:16:40 ðì, modified: 3/12/2009 4:14:02 ìì Command line: "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" c:\program files\windows media player\wmpnetwk.exe | Script: Quarantine, Delete, Delete via BC, Terminate 3088 | Windows Media Player Network Sharing Service | © Microsoft Corporation. All rights reserved. | ?? | 1095.00 kb, rsAh, | created: 2/11/2006 6:06:06 ìì, modified: 2/11/2006 6:06:06 ìì Command line: "C:\Program Files\Windows Media Player\wmpnetwk.exe" Detected:40, recognized as trusted 38
| | |||||
| Module name | Handle | Description | Copyright | MD5 | Used by processes
| C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe | Script: Quarantine, Delete, Delete via BC 4194304 | Malwarebytes' Anti-Malware | © All rights reserved. | ?? | 4012
| C:\Program Files\Windows Media Player\wmpnetwk.exe | Script: Quarantine, Delete, Delete via BC 5832704 | Windows Media Player Network Sharing Service | © Microsoft Corporation. All rights reserved. | ?? | 3088
| Modules found:515, recognized as trusted 513
| | |||||
| Module | Base address | Size in memory | Description | Manufacturer
| C:\Windows\System32\Drivers\ajhbup5l.SYS | Script: Quarantine, Delete, Delete via BC 90B60000 | 039000 (233472) |
| C:\Windows\system32\DRIVERS\atapi.sys | Script: Quarantine, Delete, Delete via BC 8B289000 | 009000 (36864) |
| C:\Windows\system32\DRIVERS\epfwwfpr.sys | Script: Quarantine, Delete, Delete via BC 9DC86000 | 01A000 (106496) | ESET Personal Firewall driver | Copyright (c) ESET 1992-2009. All rights reserved.
| C:\Windows\system32\drivers\mbam.sys | Script: Quarantine, Delete, Delete via BC A26B7000 | 004000 (16384) | Malwarebytes' Anti-Malware | © All rights reserved.
| C:\Windows\System32\Drivers\spjq.sys | Script: Quarantine, Delete, Delete via BC 8B02A000 | 0F3000 (995328) |
| Modules found - 177, recognized as trusted - 172
| | |||||||
| Service | Description | Status | File | Group | Dependencies
| MBAMService | Service: Stop, Delete, Disable MBAMService | Running | C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe | Script: Quarantine, Delete, Delete via BC | MBAMProtector
| WMPNetworkSvc | Service: Stop, Delete, Disable Windows Media Player Network Sharing Service | Running | C:\Program Files\Windows Media Player\wmpnetwk.exe | Script: Quarantine, Delete, Delete via BC | http
| MSSQLServerADHelper | Service: Stop, Delete, Disable SQL Server Active Directory Helper | Not started | C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe | Script: Quarantine, Delete, Delete via BC |
| Detected - 155, recognized as trusted - 152
| | ||||||
| Service | Description | Status | File | Group | Dependencies
| atapi | Driver: Unload, Delete, Disable ÊáíÜëé IDE | Running | C:\Windows\system32\DRIVERS\atapi.sys | Script: Quarantine, Delete, Delete via BC SCSI Miniport |
| epfwwfpr | Driver: Unload, Delete, Disable epfwwfpr | Running | C:\Windows\system32\DRIVERS\epfwwfpr.sys | Script: Quarantine, Delete, Delete via BC |
| MBAMProtector | Driver: Unload, Delete, Disable MBAMProtector | Running | C:\Windows\system32\drivers\mbam.sys | Script: Quarantine, Delete, Delete via BC FSFilter Anti-Virus | FltMgr
| sptd | Driver: Unload, Delete, Disable sptd | Running | C:\Windows\System32\Drivers\sptd.sys | Script: Quarantine, Delete, Delete via BC Boot Bus Extender |
| Point32 | Driver: Unload, Delete, Disable Microsoft IntelliPoint Filter Driver | Not started | C:\Windows\system32\DRIVERS\point32k.sys | Script: Quarantine, Delete, Delete via BC Pointer Port |
| Detected - 249, recognized as trusted - 244
| | ||||||
| File name | Status | Startup method | Description
| C:\PROGRA~1\MICROS~3\Office12\1032\MAPIR.DLL | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Outlook, EventMessageFile | Delete C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Malwarebytes' Anti-Malware | Delete C:\Users\×ñÞóôïò\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk | Script: Quarantine, Delete, Delete via BC Active | File in Startup folder | C:\Users\×ñÞóôïò\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\×ñÞóôïò\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
| C:\Users\×ñÞóôïò\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk | Script: Quarantine, Delete, Delete via BC Active | File in Startup folder | C:\Users\×ñÞóôïò\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\×ñÞóôïò\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk,
| C:\Windows\system32\psxss.exe | Script: Quarantine, Delete, Delete via BC -- | Registry key | HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
| C:\Windows\system32\sshnas.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, LosAlamos | Delete C:\Windows\system32\sshnas.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_USERS, S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run, LosAlamos | Delete C:\Windows\system32\vorbis.acm | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, msacm.vorbis | Delete C:\Windows\system32\xlive.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\XLive, EventMessageFile | Delete SDEvents.dll | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile | Delete progman.exe | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell | Delete vgafix.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon | Delete vgaoem.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon | Delete vgasys.fon | Script: Quarantine, Delete, Delete via BC Active | Registry key | HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon | Delete Autoruns items found - 575, recognized as trusted - 561
| | ||||||
| File name | Type | Description | Manufacturer | CLSID
| Extension module | {2670000A-7350-4f3c-8081-5663EE0C6C49} | Delete Extension module | {92780B25-18CC-41C8-B9BE-3C9C571A8263} | Delete Extension module | {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} | Delete Items found - 7, recognized as trusted - 4
| | |||||||||||||||
| File name | Destination | Description | Manufacturer | CLSID
| Groove GFS Browser Helper | {72853161-30C5-4D22-B7F9-0BBC1D38A37E} | Delete Items found - 28, recognized as trusted - 27
| | |||||||||
| File name | Type | Name | Description | Manufacturer
| Items found - 9, recognized as trusted - 9
| | ||||||
| File name | Job name | Job state | Description | Manufacturer
| C:\Windows\TEMP\b.exe | Script: Quarantine, Delete, Delete via BC {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job | The task is currently running. |
| C:\Windows\TEMP\c.exe | Script: Quarantine, Delete, Delete via BC {66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job | The task is ready to run at its next scheduled time. |
| Items found - 2, recognized as trusted - 0
| | ||||||||
| Manufacturer | Status | EXE file | Description | GUID
| Detected - 7, recognized as trusted - 7
| | ||||||
| Manufacturer | EXE file | Description
| Detected - 20, recognized as trusted - 20
| | ||||||
| File name | Description | Manufacturer | CLSID | Source URL
| Items found - 4, recognized as trusted - 4
| | ||||||
| File name | Description | Manufacturer
| Items found - 23, recognized as trusted - 23
| | ||||||
| File name | Description | Manufacturer | CLSID
| Items found - 9, recognized as trusted - 9
| | ||||||
Hosts file record
|
| File name | Type | Description | Manufacturer | CLSID
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| mscoree.dll | Script: Quarantine, Delete, Delete via BC Protocol | Microsoft .NET Runtime Execution Engine () | © Microsoft Corporation. All rights reserved. | {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
| Items found - 20, recognized as trusted - 17
| | ||||||
| File | Description | Type |
AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 18/12/2009 10:49:46 ?? Database loaded: signatures - 254478, NN profile(s) - 2, malware removal microprograms - 56, signature database released 17.12.2009 18:18 Heuristic microprograms loaded: 374 PVS microprograms loaded: 9 Digital signatures of system files loaded: 161328 Heuristic analyzer mode: Maximum heuristics mode Malware removal mode: disabled Windows version is: 6.1.7600, ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:AddMandatoryAce (1029) intercepted, method - ProcAddressHijack.GetProcAddress ->760524B5->75AD193A Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method - ProcAddressHijack.GetProcAddress ->76052655->775772D8 Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method - ProcAddressHijack.GetProcAddress ->7605268C->7757733F Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method - ProcAddressHijack.GetProcAddress ->760526C3->77577C40 Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method - ProcAddressHijack.GetProcAddress ->760526FA->77575F8A Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method - ProcAddressHijack.GetProcAddress ->76052732->77575E7D Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method - ProcAddressHijack.GetProcAddress ->76052766->775771C5 Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method - ProcAddressHijack.GetProcAddress ->76052799->77576B9D Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method - ProcAddressHijack.GetProcAddress ->760527D1->75AC977E Function advapi32.dll:PerfCreateInstance (1515) intercepted, method - ProcAddressHijack.GetProcAddress ->76052858->74F92187 Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method - ProcAddressHijack.GetProcAddress ->76052871->74F92A1D Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method - ProcAddressHijack.GetProcAddress ->76052896->74F92B3C Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method - ProcAddressHijack.GetProcAddress ->760528BF->74F92259 Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method - ProcAddressHijack.GetProcAddress ->760528D8->74F927B9 Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method - ProcAddressHijack.GetProcAddress ->760528FD->74F928D6 Function advapi32.dll:PerfQueryInstance (1528) intercepted, method - ProcAddressHijack.GetProcAddress ->76052926->74F92373 Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method - ProcAddressHijack.GetProcAddress ->7605293E->74F92447 Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method - ProcAddressHijack.GetProcAddress ->7605295B->74F920B0 Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->76052977->74F92565 Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method - ProcAddressHijack.GetProcAddress ->76052996->74F92680 Function advapi32.dll:PerfStartProvider (1533) intercepted, method - ProcAddressHijack.GetProcAddress ->760529B9->74F91FED Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method - ProcAddressHijack.GetProcAddress ->760529D1->74F91F34 Function advapi32.dll:PerfStopProvider (1535) intercepted, method - ProcAddressHijack.GetProcAddress ->760529EB->74F92026 Function advapi32.dll:SystemFunction035 (1753) intercepted, method - ProcAddressHijack.GetProcAddress ->76052A3C->75403EA8 Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text Function netapi32.dll:DavAddConnection (1) intercepted, method - ProcAddressHijack.GetProcAddress ->74123B10->6BF729DD Function netapi32.dll:DavDeleteConnection (2) intercepted, method - ProcAddressHijack.GetProcAddress ->74123B29->6BF7181B Function netapi32.dll:DavFlushFile (3) intercepted, method - ProcAddressHijack.GetProcAddress ->74123B45->6BF71713 Function netapi32.dll:DavGetExtendedError (4) intercepted, method - ProcAddressHijack.GetProcAddress ->74123B5A->6BF72347 Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method - ProcAddressHijack.GetProcAddress ->74123B76->6BF7275B Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method - ProcAddressHijack.GetProcAddress ->74123B94->6BF7257D Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method - ProcAddressHijack.GetProcAddress ->74123BB2->75264A4D Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method - ProcAddressHijack.GetProcAddress ->74123BD1->75264D79 Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method - ProcAddressHijack.GetProcAddress ->74123BF2->75265049 Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method - ProcAddressHijack.GetProcAddress ->74123C13->75264C29 Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method - ProcAddressHijack.GetProcAddress ->74123C32->75266DD9 Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method - ProcAddressHijack.GetProcAddress ->74123C57->75266D59 Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method - ProcAddressHijack.GetProcAddress ->74123C7C->75266771 Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method - ProcAddressHijack.GetProcAddress ->74123C9E->752560BC Function netapi32.dll:DsGetDcCloseW (15) intercepted, method - ProcAddressHijack.GetProcAddress ->74123CC0->7526495D Function netapi32.dll:DsGetDcNameA (16) intercepted, method - ProcAddressHijack.GetProcAddress ->74123CD7->75265BB2 Function netapi32.dll:DsGetDcNameW (17) intercepted, method - ProcAddressHijack.GetProcAddress ->74123CED->75254CA8 Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D03->752655E9 Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D24->75254CD1 Function netapi32.dll:DsGetDcNextA (20) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D45->75264896 Function netapi32.dll:DsGetDcNextW (21) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D5B->752647ED Function netapi32.dll:DsGetDcOpenA (22) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D71->7526473D Function netapi32.dll:DsGetDcOpenW (23) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D87->752646AB Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method - ProcAddressHijack.GetProcAddress ->74123D9D->75265239 Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method - ProcAddressHijack.GetProcAddress ->74123DBB->75265409 Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method - ProcAddressHijack.GetProcAddress ->74123DD9->75266E6F Function netapi32.dll:DsGetSiteNameA (27) intercepted, method - ProcAddressHijack.GetProcAddress ->74123DFF->75265B39 Function netapi32.dll:DsGetSiteNameW (28) intercepted, method - ProcAddressHijack.GetProcAddress ->74123E17->75255F24 Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method - ProcAddressHijack.GetProcAddress ->74123E2F->75266F71 Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method - ProcAddressHijack.GetProcAddress ->74123E57->73C14339 Function netapi32.dll:DsRoleCancel (31) intercepted, method - ProcAddressHijack.GetProcAddress ->74123E80->73C134A9 Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method - ProcAddressHijack.GetProcAddress ->74123E94->73C13EAD Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method - ProcAddressHijack.GetProcAddress ->74123EA8->73C13F99 Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method - ProcAddressHijack.GetProcAddress ->74123EC1->73C14189 Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method - ProcAddressHijack.GetProcAddress ->74123ED7->73C132B5 Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method - ProcAddressHijack.GetProcAddress ->74123EF6->73C119A9 Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method - ProcAddressHijack.GetProcAddress ->74123F0E->73C13651 Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method - ProcAddressHijack.GetProcAddress ->74123F2C->73C13351 Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method - ProcAddressHijack.GetProcAddress ->74123F50->73C13401 Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method - ProcAddressHijack.GetProcAddress ->74123F73->73C11F3D Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method - ProcAddressHijack.GetProcAddress ->74123F9C->73C13539 Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method - ProcAddressHijack.GetProcAddress ->74123FB7->73C135C9 Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method - ProcAddressHijack.GetProcAddress ->74123FDE->73C14261 Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method - ProcAddressHijack.GetProcAddress ->74124002->75265AF9 Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method - ProcAddressHijack.GetProcAddress ->74124021->752649E1 Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method - ProcAddressHijack.GetProcAddress ->74124040->6EF324A9 Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method - ProcAddressHijack.GetProcAddress ->7412405B->6EF32581 Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method - ProcAddressHijack.GetProcAddress ->74124077->6EF329F9 Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method - ProcAddressHijack.GetProcAddress ->7412409D->6EF322C1 Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method - ProcAddressHijack.GetProcAddress ->741240C0->6EF32651 Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method - ProcAddressHijack.GetProcAddress ->741240E1->6EF323D1 Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method - ProcAddressHijack.GetProcAddress ->74124105->6EF32729 Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method - ProcAddressHijack.GetProcAddress ->74124126->6EF320BF Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method - ProcAddressHijack.GetProcAddress ->74124142->6EF32919 Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method - ProcAddressHijack.GetProcAddress ->74124164->75265569 Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method - ProcAddressHijack.GetProcAddress ->74124190->752663AB Function netapi32.dll:I_NetAccountSync (57) intercepted, method - ProcAddressHijack.GetProcAddress ->741241AC->752663AB Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method - ProcAddressHijack.GetProcAddress ->741241C6->75266FA6 Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method - ProcAddressHijack.GetProcAddress ->741241ED->75267029 Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method - ProcAddressHijack.GetProcAddress ->74124215->75266391 Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method - ProcAddressHijack.GetProcAddress ->74124232->75266521 Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method - ProcAddressHijack.GetProcAddress ->7412424D->75266391 Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method - ProcAddressHijack.GetProcAddress ->74124268->7526639E Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method - ProcAddressHijack.GetProcAddress ->74124284->755F7CA1 Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method - ProcAddressHijack.GetProcAddress ->7412429E->6E214E39 Function netapi32.dll:I_NetGetDCList (66) intercepted, method - ProcAddressHijack.GetProcAddress ->741242BF->75265D9C Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method - ProcAddressHijack.GetProcAddress ->741242D7->75266EF1 Function netapi32.dll:I_NetLogonControl (69) intercepted, method - ProcAddressHijack.GetProcAddress ->741242FF->752663B8 Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method - ProcAddressHijack.GetProcAddress ->7412431A->75266439 Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method - ProcAddressHijack.GetProcAddress ->74124336->752564A4 Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method - ProcAddressHijack.GetProcAddress ->74124357->75266091 Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method - ProcAddressHijack.GetProcAddress ->74124374->75265F39 Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method - ProcAddressHijack.GetProcAddress ->74124390->75265FE1 Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method - ProcAddressHijack.GetProcAddress ->741243AE->7525B22A Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method - ProcAddressHijack.GetProcAddress ->741243D3->75266111 Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method - ProcAddressHijack.GetProcAddress ->741243F0->75265EC9 Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method - ProcAddressHijack.GetProcAddress ->7412440D->75265E53 Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method - ProcAddressHijack.GetProcAddress ->74124429->75266191 Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method - ProcAddressHijack.GetProcAddress ->7412444A->75266211 Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method - ProcAddressHijack.GetProcAddress ->7412446C->75256393 Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method - ProcAddressHijack.GetProcAddress ->7412448E->75266C61 Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method - ProcAddressHijack.GetProcAddress ->741244AF->75266B61 Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method - ProcAddressHijack.GetProcAddress ->741244CF->75266291 Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method - ProcAddressHijack.GetProcAddress ->741244EF->75266311 Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method - ProcAddressHijack.GetProcAddress ->74124510->75256424 Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method - ProcAddressHijack.GetProcAddress ->74124531->755F426D Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method - ProcAddressHijack.GetProcAddress ->74124552->755F6D11 Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method - ProcAddressHijack.GetProcAddress ->74124575->75266BE1 Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method - ProcAddressHijack.GetProcAddress ->7412459B->75255C20 Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method - ProcAddressHijack.GetProcAddress ->741245C2->75266AEC Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method - ProcAddressHijack.GetProcAddress ->741245E9->74105B21 Function netapi32.dll:NetAddServiceAccount (98) intercepted, method - ProcAddressHijack.GetProcAddress ->7412460C->752670B1 Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method - ProcAddressHijack.GetProcAddress ->7412462A->74111415 Function netapi32.dll:NetApiBufferFree (102) intercepted, method - ProcAddressHijack.GetProcAddress ->74124648->741113D2 Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method - ProcAddressHijack.GetProcAddress ->74124662->74113729 Function netapi32.dll:NetApiBufferSize (104) intercepted, method - ProcAddressHijack.GetProcAddress ->74124682->74113771 Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method - ProcAddressHijack.GetProcAddress ->7412469C->6EF32801 Function netapi32.dll:NetConnectionEnum (112) intercepted, method - ProcAddressHijack.GetProcAddress ->741246BC->755F5521 Function netapi32.dll:NetDfsAdd (113) intercepted, method - ProcAddressHijack.GetProcAddress ->741246D5->6E2178FD Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method - ProcAddressHijack.GetProcAddress ->741246E6->6E216859 Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method - ProcAddressHijack.GetProcAddress ->741246FD->6E217401 Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method - ProcAddressHijack.GetProcAddress ->74124718->6E212B1E Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method - ProcAddressHijack.GetProcAddress ->74124730->6E212BB1 Function netapi32.dll:NetDfsEnum (118) intercepted, method - ProcAddressHijack.GetProcAddress ->7412474E->6E2170F9 Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method - ProcAddressHijack.GetProcAddress ->74124760->6E213F25 Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method - ProcAddressHijack.GetProcAddress ->7412477B->6E212C51 Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method - ProcAddressHijack.GetProcAddress ->74124795->6E215363 Function netapi32.dll:NetDfsGetInfo (122) intercepted, method - ProcAddressHijack.GetProcAddress ->741247B9->6E212D69 Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method - ProcAddressHijack.GetProcAddress ->741247CE->6E217741 Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method - ProcAddressHijack.GetProcAddress ->741247E7->6E213AD5 Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method - ProcAddressHijack.GetProcAddress ->7412480C->6E215C19 Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method - ProcAddressHijack.GetProcAddress ->74124836->6E212E9C Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method - ProcAddressHijack.GetProcAddress ->74124858->6E212F91 Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method - ProcAddressHijack.GetProcAddress ->74124877->6E2172C5 Function netapi32.dll:NetDfsMove (129) intercepted, method - ProcAddressHijack.GetProcAddress ->74124898->6E215651 Function netapi32.dll:NetDfsRemove (130) intercepted, method - ProcAddressHijack.GetProcAddress ->741248AA->6E217A19 Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method - ProcAddressHijack.GetProcAddress ->741248BE->6E216A99 Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method - ProcAddressHijack.GetProcAddress ->741248D8->6E216BE5 Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method - ProcAddressHijack.GetProcAddress ->741248F8->6E215879 Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method - ProcAddressHijack.GetProcAddress ->74124916->6E212CE1 Function netapi32.dll:NetDfsRename (135) intercepted, method - ProcAddressHijack.GetProcAddress ->74124931->6E212E91 Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method - ProcAddressHijack.GetProcAddress ->74124945->6E214301 Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method - ProcAddressHijack.GetProcAddress ->74124960->6E2153AF Function netapi32.dll:NetDfsSetInfo (138) intercepted, method - ProcAddressHijack.GetProcAddress ->74124984->6E216D8B Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method - ProcAddressHijack.GetProcAddress ->74124999->6E217822 Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method - ProcAddressHijack.GetProcAddress ->741249B2->6E213B24 Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method - ProcAddressHijack.GetProcAddress ->741249D7->74105E39 Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method - ProcAddressHijack.GetProcAddress ->741249F8->75267199 Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method - ProcAddressHijack.GetProcAddress ->74124A1D->7526652E Function netapi32.dll:NetFileClose (147) intercepted, method - ProcAddressHijack.GetProcAddress ->74124A41->755F5659 Function netapi32.dll:NetFileEnum (148) intercepted, method - ProcAddressHijack.GetProcAddress ->74124A55->755F5729 Function netapi32.dll:NetFileGetInfo (149) intercepted, method - ProcAddressHijack.GetProcAddress ->74124A68->755F5859 Function netapi32.dll:NetGetAnyDCName (150) intercepted, method - ProcAddressHijack.GetProcAddress ->74124A7E->7526496D Function netapi32.dll:NetGetDCName (151) intercepted, method - ProcAddressHijack.GetProcAddress ->74124A97->75265913 Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method - ProcAddressHijack.GetProcAddress ->74124AAD->740F4117 Function netapi32.dll:NetGetJoinInformation (153) intercepted, method - ProcAddressHijack.GetProcAddress ->74124AD2->74102DC7 Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method - ProcAddressHijack.GetProcAddress ->74124AEF->741059D1 Function netapi32.dll:NetGroupAdd (155) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B08->740F71C3 Function netapi32.dll:NetGroupAddUser (156) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B1B->740F73AD Function netapi32.dll:NetGroupDel (157) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B32->740F73CB Function netapi32.dll:NetGroupDelUser (158) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B45->740F73EB Function netapi32.dll:NetGroupEnum (159) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B5C->740F7409 Function netapi32.dll:NetGroupGetInfo (160) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B70->740F78C8 Function netapi32.dll:NetGroupGetUsers (161) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B87->740F7952 Function netapi32.dll:NetGroupSetInfo (162) intercepted, method - ProcAddressHijack.GetProcAddress ->74124B9F->740F7C02 Function netapi32.dll:NetGroupSetUsers (163) intercepted, method - ProcAddressHijack.GetProcAddress ->74124BB6->740F7DAE Function netapi32.dll:NetIsServiceAccount (164) intercepted, method - ProcAddressHijack.GetProcAddress ->74124BCE->752672D9 Function netapi32.dll:NetJoinDomain (165) intercepted, method - ProcAddressHijack.GetProcAddress ->74124BEB->741054B9 Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method - ProcAddressHijack.GetProcAddress ->74124C00->740F875A Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method - ProcAddressHijack.GetProcAddress ->74124C18->740F8886 Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method - ProcAddressHijack.GetProcAddress ->74124C36->740F8E99 Function netapi32.dll:NetLocalGroupDel (169) intercepted, method - ProcAddressHijack.GetProcAddress ->74124C55->740F88A4 Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method - ProcAddressHijack.GetProcAddress ->74124C6D->740F8928 Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method - ProcAddressHijack.GetProcAddress ->74124C8B->740F8EBD Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method - ProcAddressHijack.GetProcAddress ->74124CAA->740F8946 Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method - ProcAddressHijack.GetProcAddress ->74124CC3->740F8CE4 Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method - ProcAddressHijack.GetProcAddress ->74124CDF->740F2265 Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method - ProcAddressHijack.GetProcAddress ->74124CFE->740F8D57 Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method - ProcAddressHijack.GetProcAddress ->74124D1A->740F8E75 Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method - ProcAddressHijack.GetProcAddress ->74124D39->75266CE9 Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method - ProcAddressHijack.GetProcAddress ->74124D65->7525603C Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method - ProcAddressHijack.GetProcAddress ->74124D85->754EF2D3 Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method - ProcAddressHijack.GetProcAddress ->74124DA9->740F3D87 Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method - ProcAddressHijack.GetProcAddress ->74124DCB->75267249 Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method - ProcAddressHijack.GetProcAddress ->74124DEB->74112160 Function netapi32.dll:NetRemoteTOD (189) intercepted, method - ProcAddressHijack.GetProcAddress ->74124E0E->755F6C11 Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method - ProcAddressHijack.GetProcAddress ->74124E22->74105C29 Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method - ProcAddressHijack.GetProcAddress ->74124E48->75267129 Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method - ProcAddressHijack.GetProcAddress ->74124E69->74105751 Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method - ProcAddressHijack.GetProcAddress ->74124E89->754EB52F Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method - ProcAddressHijack.GetProcAddress ->74124EAD->6E2019D1 Function netapi32.dll:NetScheduleJobDel (210) intercepted, method - ProcAddressHijack.GetProcAddress ->74124EC8->6E201AC9 Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method - ProcAddressHijack.GetProcAddress ->74124EE3->6E201BC1 Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method - ProcAddressHijack.GetProcAddress ->74124EFF->6E201CE1 Function netapi32.dll:NetServerAliasAdd (213) intercepted, method - ProcAddressHijack.GetProcAddress ->74124F1E->755F7843 Function netapi32.dll:NetServerAliasDel (214) intercepted, method - ProcAddressHijack.GetProcAddress ->74124F37->755F7A79 Function netapi32.dll:NetServerAliasEnum (215) intercepted, method - ProcAddressHijack.GetProcAddress ->74124F50->755F7931 Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method - ProcAddressHijack.GetProcAddress ->74124F6A->755F7411 Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method - ProcAddressHijack.GetProcAddress ->74124F8A->755F76FB Function netapi32.dll:NetServerDiskEnum (218) intercepted, method - ProcAddressHijack.GetProcAddress ->74124FAA->755F6559 Function netapi32.dll:NetServerEnum (219) intercepted, method - ProcAddressHijack.GetProcAddress ->74124FC3->6EF32F61 Function netapi32.dll:NetServerEnumEx (220) intercepted, method - ProcAddressHijack.GetProcAddress ->74124FD9->6EF32C5F Function netapi32.dll:NetServerGetInfo (221) intercepted, method - ProcAddressHijack.GetProcAddress ->74124FF1->755F3CFA Function netapi32.dll:NetServerSetInfo (222) intercepted, method - ProcAddressHijack.GetProcAddress ->74125009->755F6681 Function netapi32.dll:NetServerTransportAdd (223) intercepted, method - ProcAddressHijack.GetProcAddress ->74125021->755F6851 Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method - ProcAddressHijack.GetProcAddress ->7412503E->755F7329 Function netapi32.dll:NetServerTransportDel (225) intercepted, method - ProcAddressHijack.GetProcAddress ->7412505D->755F6A01 Function netapi32.dll:NetServerTransportEnum (226) intercepted, method - ProcAddressHijack.GetProcAddress ->7412507A->755F6AD9 Function netapi32.dll:NetSessionDel (231) intercepted, method - ProcAddressHijack.GetProcAddress ->74125098->755F5941 Function netapi32.dll:NetSessionEnum (232) intercepted, method - ProcAddressHijack.GetProcAddress ->741250AD->755F5A11 Function netapi32.dll:NetSessionGetInfo (233) intercepted, method - ProcAddressHijack.GetProcAddress ->741250C3->755F5B41 Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method - ProcAddressHijack.GetProcAddress ->741250DC->74105D31 Function netapi32.dll:NetShareAdd (235) intercepted, method - ProcAddressHijack.GetProcAddress ->741250FD->755F5C81 Function netapi32.dll:NetShareCheck (236) intercepted, method - ProcAddressHijack.GetProcAddress ->74125110->755F5E91 Function netapi32.dll:NetShareDel (237) intercepted, method - ProcAddressHijack.GetProcAddress ->74125125->755F5F81 Function netapi32.dll:NetShareDelEx (238) intercepted, method - ProcAddressHijack.GetProcAddress ->74125138->755F7B61 Function netapi32.dll:NetShareDelSticky (239) intercepted, method - ProcAddressHijack.GetProcAddress ->7412514D->755F60D1 Function netapi32.dll:NetShareEnum (240) intercepted, method - ProcAddressHijack.GetProcAddress ->74125166->755F3F91 Function netapi32.dll:NetShareEnumSticky (241) intercepted, method - ProcAddressHijack.GetProcAddress ->7412517A->755F61C9 Function netapi32.dll:NetShareGetInfo (242) intercepted, method - ProcAddressHijack.GetProcAddress ->74125194->755F433F Function netapi32.dll:NetShareSetInfo (243) intercepted, method - ProcAddressHijack.GetProcAddress ->741251AB->755F6341 Function netapi32.dll:NetUnjoinDomain (245) intercepted, method - ProcAddressHijack.GetProcAddress ->741251C2->74105641 Function netapi32.dll:NetUseAdd (247) intercepted, method - ProcAddressHijack.GetProcAddress ->741251D9->74103693 Function netapi32.dll:NetUseDel (248) intercepted, method - ProcAddressHijack.GetProcAddress ->741251EA->74105FA9 Function netapi32.dll:NetUseEnum (249) intercepted, method - ProcAddressHijack.GetProcAddress ->741251FB->74103184 Function netapi32.dll:NetUseGetInfo (250) intercepted, method - ProcAddressHijack.GetProcAddress ->7412520D->74106039 Function netapi32.dll:NetUserAdd (251) intercepted, method - ProcAddressHijack.GetProcAddress ->74125222->740F464F Function netapi32.dll:NetUserChangePassword (252) intercepted, method - ProcAddressHijack.GetProcAddress ->74125234->740F5A06 Function netapi32.dll:NetUserDel (253) intercepted, method - ProcAddressHijack.GetProcAddress ->74125251->740F4826 Function netapi32.dll:NetUserEnum (254) intercepted, method - ProcAddressHijack.GetProcAddress ->74125263->740F49D6 Function netapi32.dll:NetUserGetGroups (255) intercepted, method - ProcAddressHijack.GetProcAddress ->74125276->740F4E01 Function netapi32.dll:NetUserGetInfo (256) intercepted, method - ProcAddressHijack.GetProcAddress ->7412528E->740F1C60 Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method - ProcAddressHijack.GetProcAddress ->741252A4->740F2875 Function netapi32.dll:NetUserModalsGet (258) intercepted, method - ProcAddressHijack.GetProcAddress ->741252C1->740F206B Function netapi32.dll:NetUserModalsSet (259) intercepted, method - ProcAddressHijack.GetProcAddress ->741252D9->740F54AA Function netapi32.dll:NetUserSetGroups (260) intercepted, method - ProcAddressHijack.GetProcAddress ->741252F1->740F5095 Function netapi32.dll:NetUserSetInfo (261) intercepted, method - ProcAddressHijack.GetProcAddress ->74125309->740F4D1D Function netapi32.dll:NetValidateName (262) intercepted, method - ProcAddressHijack.GetProcAddress ->7412531F->74105859 Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method - ProcAddressHijack.GetProcAddress ->74125336->740F9967 Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method - ProcAddressHijack.GetProcAddress ->74125357->740F9B6B Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method - ProcAddressHijack.GetProcAddress ->7412537C->74104E45 Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method - ProcAddressHijack.GetProcAddress ->74125398->74104F21 Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method - ProcAddressHijack.GetProcAddress ->741253B4->74104CF9 Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method - ProcAddressHijack.GetProcAddress ->741253D1->74104AD1 Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method - ProcAddressHijack.GetProcAddress ->741253E9->74103280 Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method - ProcAddressHijack.GetProcAddress ->74125404->74104C15 Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method - ProcAddressHijack.GetProcAddress ->7412541F->741137AA Function netapi32.dll:NetpIsRemote (289) intercepted, method - ProcAddressHijack.GetProcAddress ->7412543E->7411382D Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method - ProcAddressHijack.GetProcAddress ->74125454->74111C30 Function netapi32.dll:NetpwNameCompare (297) intercepted, method - ProcAddressHijack.GetProcAddress ->74125473->74111F2E Function netapi32.dll:NetpwNameValidate (298) intercepted, method - ProcAddressHijack.GetProcAddress ->7412548D->74111990 Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method - ProcAddressHijack.GetProcAddress ->741254A8->7411275D Function netapi32.dll:NetpwPathCompare (300) intercepted, method - ProcAddressHijack.GetProcAddress ->741254C7->74114086 Function netapi32.dll:NetpwPathType (301) intercepted, method - ProcAddressHijack.GetProcAddress ->741254E1->74112533 Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method - ProcAddressHijack.GetProcAddress ->741254F8->752561F8 Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method - ProcAddressHijack.GetProcAddress ->7412551B->75255D67 Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method - ProcAddressHijack.GetProcAddress ->74125543->75256198 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=1689C0) Kernel ntkrnlpa.exe found in memory at address 82A15000 SDT = 82B7D9C0 KiST = 82A846F0 (401) Functions checked: 401, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Analyzing CPU 2 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 853811F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 853811F8 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 38 Extended process analysis: 4012 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows Number of modules loaded: 492 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) Checking - disabled by user 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> Process termination timeout is out of admissible values >> Service termination timeout is out of admissible values >> Timeout of "Not Responding" verdict for processes is out of admissible values >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed >> Start -> Run menu item is blocked Checking - complete Files scanned: 530, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 18/12/2009 10:50:01 ?? Time of scanning: 00:00:16 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference System Analysis in progressAdd commands to script:
Script commands