Thread: Help - win32 Trojan
View Single Post
Old 04-27-2007, 08:54 AM   #11 (permalink)
jross1943
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
I was in the process of responding with the requested logs when I got your last post. I'm not sure if you wanted the link before or after the upload. Anyway, here they are: http://www.bleepingcomputer.com/pf.php
http://www.bleepingcomputer.com/subm....php?channel=4.
I'll post the other file as soon as I finish this post.

Oops! Looks like I used the second link to bleepingcomputer to post the first compressed file of moved files.

So, I went to the first link and posted the same file. Please forgive me . . . I'm old, confused and confounded by you guys.

Here are the logs:

Extra.txt is attached

--------------
OTMoveit

C:\WINDOWS\system32\winupd_KB65919063.exe moved successfully.
C:\WINDOWS\system32\winupd_KB58620628.exe moved successfully.
C:\WINDOWS\system32\winupd_KB69412836.exe moved successfully.
C:\WINDOWS\system32\winupd_KB08494134.exe moved successfully.
C:\WINDOWS\system32\winupd_KB26431806.exe moved successfully.
C:\WINDOWS\system32\winupd_KB56829756.exe moved successfully.
C:\WINDOWS\system32\winupd_KB59303473.exe moved successfully.
C:\WINDOWS\system32\winupd_KB70645686.exe moved successfully.
C:\WINDOWS\system32\winupd_KB08471726.exe moved successfully.
C:\WINDOWS\system32\winupd_KB90069443.exe moved successfully.
C:\WINDOWS\system32\winupd_KB90004561.exe moved successfully.
C:\WINDOWS\system32\winupd_KB44318973.exe moved successfully.
C:\WINDOWS\system32\winupd_KB78434668.exe moved successfully.
C:\WINDOWS\system32\winupd_KB85131081.exe moved successfully.
C:\WINDOWS\system32\winupd_KB17264537.exe moved successfully.
C:\WINDOWS\system32\winupd_KB89378022.exe moved successfully.
C:\WINDOWS\system32\winupd_KB77786317.exe moved successfully.
C:\WINDOWS\system32\winupd_KB98221393.exe moved successfully.
C:\WINDOWS\system32\winupd_KB81204801.exe moved successfully.
C:\WINDOWS\system32\winupd_KB72117528.exe moved successfully.
C:\WINDOWS\system32\winupd_KB18003240.exe moved successfully.
C:\WINDOWS\system32\winupd_KB11901888.exe moved successfully.
C:\WINDOWS\system32\winupd_KB92021998.exe moved successfully.
C:\WINDOWS\system32\winupd_KB40754700.exe moved successfully.
C:\WINDOWS\system32\winupd_KB56869449.exe moved successfully.
C:\WINDOWS\system32\winupd_KB94184285.exe moved successfully.
C:\WINDOWS\system32\winupd_KB04080293.exe moved successfully.
File/Folder C:\WINDOWS\System32\888111253.exe not found.
C:\Documents and Settings\ie_updater.exe moved successfully.
File/Folder not found.

Created on 04/27/2007 09:59:41

end
------------

Filefind

C:\WINDOWS\system32\drivers\ip6fw.sys - 7296 Bytes

end
---------

DSS Main

Deckard's System Scanner v20070423.42
Run by David on 2007-04-27 at 10:07:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2007-04-27 14:07:55 UTC - RP457 - Deckard's System Scanner Restore Point
52: 2007-04-27 07:00:53 UTC - RP456 - Installed Windows XP KB898461.
51: 2007-04-27 07:00:29 UTC - RP455 - Software Distribution Service 2.0
50: 2007-04-26 19:25:50 UTC - RP454 - System Checkpoint
49: 2007-04-25 18:30:32 UTC - RP453 - System Checkpoint


-- First Restore Point --
1: 2007-01-27 14:04:31 UTC - RP405 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:08:51 AM, on 4/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\David.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070426-095717-187 O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
backup-20070426-095717-270 O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Internet Security\isadd.dll (file missing)
backup-20070426-095717-362 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070426-095717-734 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070426-095717-967 O4 - HKLM\..\Run: [VaCtrls] v7
backup-20070426-143921-850 O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe
backup-20070427-100311-496 O4 - HKLM\..\Run: [888111253.exe] C:\WINDOWS\System32\888111253.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Verified; Mylex Corporation; Mylex Disk Array Controller Driver; 6.00-21; 6.00-21 (XPClient.010817-1148)>
R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere; 10.5.0; 10.5.0>
R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere; 9.2.1; 9.2.1>
R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8 built by: WinDDK>
R1 ClntMgmt (HP Client Management Driver) - c:\windows\system32\drivers\clntmgmt.sys <Not Verified; Hewlett-Packard; Client Management Driver; 2.00.H1; 2,0,8,1>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan; 8.0.0; 8.0.0.266>
R1 pwd_2k - c:\windows\system32\drivers\pwd_2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R1 UdfReadr_xp - c:\windows\system32\drivers\udfreadr_xp.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8 built by: WinDDK>
R2 cpqdfw (Diagnostics Driver) - c:\windows\system32\drivers\cpqdfw.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9; 2.3.1.9; 2.3.1.9>
R3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys <Verified; Intel Corporation; Intel(r) Integrated Controller Hub Audio Driver; 5.10.3523; 5.10.3523 built by: WinDDK>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept; 8.0.0; 8.0.0.277>
R3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys <Verified; LT; LT V.92 Data+Fax Modem Version 8.23; 8.23; 8.23>
R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan; 8.0.0; 8.0.0.276>
R3 NSCIRDA (NSC Infrared Device Driver) - c:\windows\system32\drivers\nscirda.sys <Verified; National Semiconductor Corporation; NSC Fast Infrared Driver.; 1,0,0,0; 5,01,00,006 (xpclient.010817-1148)>
R3 RimSerPort (RIM Virtual Serial Port) - c:\windows\system32\drivers\rimserial.sys <Verified; Research in Motion Ltd; RIM Modem; 1.1.0.2; 1.1.0.2>

S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Verified; Andrea Electronics Corporation; Andrea Audio Driver; 3.0.2.36; 3.0.2.36>
S3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Verified; Agere Systems; Agere SoftModem Driver; 2.1.36 2.1.36 11/19/2003 15:41:15; 2.1.36 2.1.36 11/19/2003 15:41:15>
S3 AR5211 (D-Link Adapter) - c:\windows\system32\drivers\ar5211.sys <Not Verified; D-Link; D-Link Wireless Network Adapter; 2.2.4.32; 2.2.4.32>
S3 CONAN - c:\windows\system32\drivers\o2mmb.sys <Verified; O2 Micro; o2mmb; 1, 0, 0, 0; 1, 0, 4, 701>
S3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys <Not Verified; Roxio; Drag-to-Disc; 6.1.1.8; 6.1.1.8>
S3 MbxStby - c:\windows\system32\drivers\mbxstby.sys <Verified; O2 Micro; o2mmb; 1, 0, 0, 0; 1, 0, 0, 4>
S3 RimUsb (RIM Handheld) - c:\windows\system32\drivers\rimusb.sys <Verified; Research In Motion Limited; RIM handheld driver; 1.1.0.2; 1.1.0.2>
S3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys <Verified; SMC; Fast Infrared Miniport Driver; 5.1.2462.0; 5.1.2462.0>
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver; 5.12.01.3890; 5.12.01.3890>
S3 WLAN_400_500_SERVICE (HP WLAN W400/W500 Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; D-Link; D-Link Wireless Network Adapter; 2.2.4.32; 2.2.4.32>
S4 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere; 10.5; 10.5.1.497>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 cpqdmi - c:\progra~1\compaq\compaq~1\cpqdmi.exe <Not Verified; Compaq Computer Corporation; Compaq Management Agents; 5.00 K1; 5.0.9.1>
R2 DfwWebAgent (Remote Diagnostics Enabling Agent) - c:\windows\cpqdiag\cpqdfwag.exe <Not Verified; Hewlett-Packard; Remote Diagnostics Enabling Agent; 3.02; 3.02.2005>
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework; ; 3.5.0.412>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise; 8.0.0; 8.0.0.912>
R2 SoundMAX Agent Service (default) (SoundMAX Agent Service) - c:\program files\analog devices\soundmax\smagent.exe <Not Verified; Analog Devices, Inc.; SoundMAX service agent; 3, 2, 6, 0; 3, 2, 6, 0>
R2 WIN32SL - c:\program files\compaq\compaq management agents\dmi\win32\bin\win32sl.exe <Not Verified; Intel; DMI 2.0 SDK; 2, 0, 0, 54; 2, 0, 0, 54>

S2 SP Software Installer - c:\program files\accessmanager\pmac\sp_swins.exe (file missing)
S4 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe (file missing)
S4 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere; 10.5; 10.5.1.505>
S4 CPQALERT (Insight Local Alerter) - c:\program files\compaq\compaq management agents\cpqalert.exe <Not Verified; Hewlett-Packard Company; Insight Management Agent; 5.00 K1; 5.0.9.1>
S4 cpqWebDmi (Insight Web Agent) - c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe <Not Verified; Hewlett-Packard Company; Insight Management Agent; 5.00 K1; 5.0.9.1>


-- Files created between 2007-03-27 and 2007-04-27 -----------------------------

2007-04-27 03:00:55 0 d-------- C:\WINDOWS\System32\PreInstall
2007-04-26 15:03:43 49152 --a------ C:\WINDOWS\nircmd.exe <Not Verified; NirSoft; NirCmd; 1.85; 1.85>
2007-04-26 14:47:50 0 d-------- C:\WINDOWS\System32\SoftwareDistribution
2007-04-26 14:47:12 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-04-26 14:46:56 7296 --a------ C:\WINDOWS\System32\drivers\ip6fw.sys
2007-04-26 09:40:30 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver; 1.0.0.14; 1.0.0.14>
2007-04-26 09:17:58 974914 --a------ C:\WINDOWS\System32\RC48E140.DLL <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 1.00; 7.3.0>
2007-04-26 09:17:58 32768 --a------ C:\WINDOWS\System32\RC00C140.dll <Not Verified; RICOH CO., LTD.; RC00C140; 7.3.0; 7.3.0>
2007-04-26 09:17:57 61440 --a------ C:\WINDOWS\System32\TrackID.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 4, 1; 1, 0, 4, 1>
2007-04-26 09:17:57 69632 --a------ C:\WINDOWS\System32\TIFmtA.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 4, 0; 1, 0, 4, 0>
2007-04-26 09:17:57 49152 --a------ C:\WINDOWS\System32\TIBase64.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 1, 0; 1, 0, 1, 0>
2007-04-26 09:17:57 262364 --a------ C:\WINDOWS\System32\rpcsecl.dll <Not Verified; RICOH; RICOH RPCS Printer Driver Module rpcsecl; 3, 3, 3, 0; 3, 3, 3, 0>
2007-04-26 09:17:57 221184 --a------ C:\WINDOWS\System32\RICJC32.dll <Not Verified; RICOH CO.,Ltd.; RICJC32; 1, 3, 4, 0; 1, 3, 4, 0>
2007-04-26 09:17:57 61440 --a------ C:\WINDOWS\System32\rdrvlog.dll <Not Verified; RICOH; RICOH rdrvlog; 0, 3, 7, 0; 0, 3, 7, 0>
2007-04-26 09:17:57 57344 --a------ C:\WINDOWS\System32\rdrvinf.dll <Not Verified; RICOH Co.,Ltd.; RICOH RPDL Driver; 6, 3, 1, 0; 6, 3, 1, 0>
2007-04-26 09:17:57 77824 --a------ C:\WINDOWS\System32\RCPRINT.dll <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 1.3.1.0; 1.3.1.0>
2007-04-26 09:17:57 126976 --a------ C:\WINDOWS\System32\Rc4manNT.dll <Not Verified; RICOH CO., LTD.; RC4MAN; 4, 0, 5, 0; 4, 0, 5, 0>
2007-04-26 09:17:57 167936 --a------ C:\WINDOWS\System32\JCUI.exe <Not Verified; Ricoh Co.,Ltd.; JCUI; 1, 3, 3, 0; 1, 3, 3, 0>
2007-04-26 09:17:56 53248 --a------ C:\WINDOWS\System32\RICDB32.dll <Not Verified; RICOH CO.,Ltd.; RICDB; 1, 1, 3, 0; 1, 1, 3, 0>
2007-04-26 09:17:56 27136 --a------ C:\WINDOWS\System32\RCINST.dll <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 0, 2, 0, 2; 2.0.2>
2007-04-26 09:17:56 32768 --a------ C:\WINDOWS\System32\rc4mon.dll <Not Verified; RICOH CO.,Ltd.; RC4MON; 3, 3, 1, 0; 3, 3, 1, 0>
2007-04-26 09:17:56 1236992 --a------ C:\WINDOWS\System32\MP450dat.dll <Not Verified; RICOH CO., LTD.; MP450dat.dll; 1, 0, 0, 0; 1, 0, 0, 0>
2007-04-26 09:17:56 37376 --a------ C:\WINDOWS\System32\MFRICRES.dll <Not Verified; RICOH CO.,Ltd.; MFRICRES; 1, 0, 3, 0; 1, 0, 3, 0>
2007-04-26 09:17:56 0 d--h----- C:\_rpcs
2007-04-25 14:55:37 2552 --a------ C:\WINDOWS\System32\tmp.reg
2007-04-25 14:55:09 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS; ; >
2007-04-25 14:55:09 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility; 2, 0, 0, 0; 2, 0, 0, 0>
2007-04-25 14:55:09 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-04-25 12:00:08 0 d-------- C:\Program Files\Hijack This
2007-04-08 20:58:22 0 d-------- C:\Documents and Settings\David\Application Data\MSN6


-- Find3M Report ---------------------------------------------------------------

2007-04-26 14:47:52 0 d--h----- C:\Program Files\WindowsUpdate
2007-04-26 11:37:58 0 d-------- C:\Program Files\Common Files\Companion Wizard
2007-04-08 20:03:07 0 d-------- C:\Documents and Settings\David\Application Data\PhotoParade
2007-03-23 10:02:42 0 d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-03-23 09:59:54 0 d-------- C:\Documents and Settings\David\Application Data\WinAntiVirus Pro 2007


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link REG Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link REG Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-Link\\AIRPLU~1\\Reg.exe "
"item"="D-Link REG Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkAdmin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CHKADMIN"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fppdis2a"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /source=HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ip6FwHlp"=dword:00000003
"cpqWebDmi"=dword:00000002
"CPQALERT"=dword:00000002
"awhost32"=dword:00000003
"Ati HotKey Poller"=dword:00000002
"ACS"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-27 at 10:09:48 ---------

GMER

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-27 10:23:07
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT 82335109 ZwCreateThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\explorer.exe[1468] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1596] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[2000] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!VirtualProtect 77E6169E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!GetStartupInfoA 77E6177E 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!WinExec 77E6FD60 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!CreatePipe 77E79D5C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!ReadFile 77E7AAA1 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!GetProcAddress 77E7B285 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!VirtualProtectEx 77E7D1AB 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!LoadLibraryA 77E7D8B4 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!WriteFile 77E7F08D 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] kernel32.dll!PeekNamedPipe 77EB99AA 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!recv 71ABA0EF 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!select 71ABBDA6 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!send 71ABBFC8 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!bind 71ABC328 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WS2_32.dll!socket 71ABD159 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WININET.dll!InternetOpenA 63017783 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WININET.dll!InternetOpenUrlA 63017F4C 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll
.text C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe[2016] WININET.dll!InternetReadFile 630188D2 5 Bytes CALL 37001160 C:\WINDOWS\System32\EntApi.dll

---- EOF - GMER 1.0.12 ----
Attached Files
File Type: txt dss extra.txt (10.0 KB, 2 views)
jross1943 is offline