Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

trojan virus 'appears' to have deleted whole hard drive, docs and program files

This is a discussion on trojan virus 'appears' to have deleted whole hard drive, docs and program files within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi. My computer's picked up a trojan virus. I had one about a year ago and people were very helpful


 
 
Thread Tools Search this Thread
Old 06-06-2011, 09:15 AM   #1
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Hi. My computer's picked up a trojan virus. I had one about a year ago and people were very helpful about it on here. But this one seems to be a lot more disruptive and i'm not sure how many helpful details i'm going to be able to give you. At the moment, i can't even run a scan on the system or provide any error logs as the whole hard drive seems to have been wiped out by something claiming to be 'windows xp recovery', who want to charge me a premium for them to 'fix' the problem. Except i'm pretty sure everything's still there really as when i tried to run a scan - which eventually got disrupted - it was still going through all my normal files. I can only guess this virus has essentially hidden my real hard drive and want money to bring it back, under the guise of 'fixing' a problem it has in fact created? It reminds me of the mob asking for protection money! Anyway, like i say, the information i can give you is scant, but the error messages are telling me- there's a problem with the 'ide/sata hard disks', that there's a 'bad sector on the hard drive which may cause data corruption and loss, hard drive inaccessability, system errors and failures' and that 'windows was unable to save the file \\system32\\496a8300'. I have combofix installed from the last time this happened, but it looks empty! I'm not sure i can get onto the web to download anything. And i can boot up windows recovery mode, but not sure what best to do with it. Does anyone have any advice, or is it time to invest in a new computer? Thanks!
mrbaggins is offline  
Sponsored Links
Advertisement
 
Old 06-06-2011, 07:56 PM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello mrbaggins.

No need to format, and you will be able to download and run the necessary tools.

Do not jump straight to running ComboFix. I need to see a preliminary set of logs in order to determine whether or not to deploy ComboFix. As explained in Post 2 of our pre-posting topic...

Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.
Please do not run it until I advise you. First, I need more information. Please follow our pre-posting process outlined here and post the requested logs.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Those 2 tools (dds.scr and gmer.exe) can be downloaded and run from a flash drive if necessary. If you cannot see flash drive via My Computer or Windows Explorer, open Task Manager (press Ctrl Alt Del keys) Click File>New Task (Run...) and use the Browse button to locate the flash drive.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-07-2011, 04:59 AM   #3
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Hi. Thanks for that. I've managed to run DDS from a flash drive, and the text log is pasted in below (attach.zip added as attachment). Unfortunately, my computer will only stay awake for about 15 minutes before I get a 'System32' error message which then restarts the machine. So I haven't been able to fully run the GMER scan. I've tried to run it from safety mode, but there's no way I can find to make it acknowledge the flash drive. Is there anything else I can do, and does this prevent repair? Thanks!

DDS Txt:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by User at 11:46:40 on 2011-06-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.57 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Application Data\VyuAmrmEfIELC.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\16375588.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\attrib.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [VyuAmrmEfIELC] c:\documents and settings\all users\application data\VyuAmrmEfIELC.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240818417230
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{66E02E2E-D0DF-4491-9FEE-98B71A0CEC66} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{FB4464AA-9DA0-43BD-AA3B-7C0F5A90B7C6} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\c67xtk2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Nectar Search Toolbar: {841468a1-d7f4-4bd3-84e6-bb0f13a06c64} - %profile%\extensions\{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26762\RapportCerberus_26762.sys [2011-6-2 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-3-27 1737464]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\24413\RapportIaso.sys [2011-4-15 18872]
.
=============== Created Last 30 ================
.
2011-06-06 18:32:13 350208 ---ha-w- c:\documents and settings\all users\application data\16375588.exe
2011-06-06 18:23:49 435200 ---ha-w- c:\documents and settings\all users\application data\VyuAmrmEfIELC.exe
2011-05-28 00:27:44 -------- d--h--w- c:\windows\PIF
2011-05-26 18:02:22 -------- d--h--w- c:\documents and settings\user\application data\Vodafone
2011-05-26 18:01:04 7680 ---ha-r- c:\windows\system32\drivers\massfilter.sys
2011-05-26 18:00:00 -------- d--h--w- c:\documents and settings\all users\application data\Vodafone
2011-05-26 17:59:00 -------- d--h--w- c:\documents and settings\user\local settings\application data\{A51078CA-7A85-4433-8D2D-35FB5D9A9609}
2011-05-19 16:14:01 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-04-28 21:34:50 53816 ---ha-w- c:\windows\system32\drivers\RapportKELL.sys
2011-04-06 23:20:16 91424 ---ha-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 197920 ---ha-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20:16 107808 ---ha-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 11:50:31.18 ===============
Attached Files
File Type: zip attach.zip (3.3 KB, 52 views)
mrbaggins is offline  
Sponsored Links
Advertisement
 
Old 06-07-2011, 02:55 PM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome. :)

Let's try a different Rootkit scanner. Perhaps it will complete before that 15 minutes.

Download Rootkit Unhooker and save it to your desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning. Please click OK to continue:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

If your computer crashes before it completes. look at the tabs at the top of the tool's interface. You can scan each section, one at a time and save the results if needed.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-08-2011, 01:57 PM   #5
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Thanks for that. This one worked, albeit in 3 different bits. I managed to scan the Drivers and Stealth Codes as one, so that makes up the first part of this log below. Then the second part is Files, and the third Code Hooks. I've separated them each with a line, but sure it'll be obvious where one ends and the next begins. Looks like the latter 2 scans found something, so if you have any suggestions for fixing this problem, they'd be greatly appreciated. Genuine thanks for your help so far!


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF81CC000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF7F72000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xF7ECA000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF83C7000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAA1FA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF812C000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 425984 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xF7DAF000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAA70C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9978000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xAA6C4000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 294912 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF80E9000 C:\WINDOWS\system32\drivers\STAC97.sys 274432 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xA8F31000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF7E8D000 C:\WINDOWS\system32\DRIVERS\iwca.sys 249856 bytes (Intel Corporation, Intel Wireless Connection Agent)
0xAA1BE000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 245760 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF8071000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 200704 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF7E0D000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8503000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9BED000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF839A000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8E16000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAA589000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA9812000 C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys 163840 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xAA5D6000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAA69E000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA563000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 155648 bytes (Trusteer Ltd., RapportPG)
0xA8D2A000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF80C5000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF8194000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF80A2000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA5B4000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF847D000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF84B5000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF84D4000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF8380000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF849D000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA106000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8454000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7E76000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA99D0000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA9DFA000 C:\WINDOWS\system32\drivers\mdvrmng.sys 81920 bytes (-, SmartRoaming Client)
0xF81B8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA765000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF846B000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF84F2000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7E3D000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8842000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8742000 C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 61440 bytes (Trusteer Ltd., RapportEI)
0xA9C3A000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF86D2000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF8672000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8852000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8752000 C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys 53248 bytes (Trusteer Ltd., RapportCerberus)
0xF8862000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8652000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF86F2000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF8682000 RapportKELL.sys 49152 bytes (Trusteer Ltd., RapportKE)
0xF8882000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8782000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8642000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8872000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xA9B2D000 C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xAA65E000 C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF8632000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF86B2000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF88A2000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8692000 AVGIDSEH.Sys 36864 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xA8BC2000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8662000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8832000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF8892000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8712000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF8702000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF892A000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF898A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8922000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF88B2000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8A3A000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF893A000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8932000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF891A000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF897A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF88C2000 avgrkx86.sys 20480 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xF8982000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF88BA000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8952000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF895A000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF8942000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF89A2000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA9FDE000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7E5E000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xF8A4A000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF8AE6000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF8B26000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA9FAE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8AE2000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xA8C82000 C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\24413\RapportIaso.sys 16384 bytes (Trusteer Ltd., RapportIaso)
0xF8A42000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF8A46000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAA192000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA9BB9000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF8AF6000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8327000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA9FDA000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF8B58000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8B74000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8B56000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8B36000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8B32000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8B5A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8B5C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8B50000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8B52000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8B34000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8D79000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8C9D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8CC7000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8BFA000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


Nothing detected :(

___________________________________________________________________________________________________________________________

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Files
==============================================
!-->[Hidden] C:\System Volume Information\_restore{70DF0FE7-1C74-43F6-861B-ADDBF44634BE}\RP1\A0011212.gdb
!-->[Hidden] C:\System Volume Information\_restore{70DF0FE7-1C74-43F6-861B-ADDBF44634BE}\RP1\change.log.55
!-->[Hidden] C:\System Volume Information\_restore{70DF0FE7-1C74-43F6-861B-ADDBF44634BE}\RP1\change.log.56


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

___________________________________________________________________________________________________________________________

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002ACB4, Type: Inline - RelativeJump 0x80501CB4-->80501D18 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AF3C, Type: Inline - RelativeJump 0x80501F3C-->80501F3C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AF98, Type: Inline - RelativeJump 0x80501F98-->80501F98 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AFC0, Type: Inline - RelativeJump 0x80501FC0-->80501F7D [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AB0A, Type: Inline - RelativeJump 0x80541B0A-->80541B11 [ntkrnlpa.exe]
ntkrnlpa.exe+0x00142259, Type: Inline - RelativeJump 0x80619259-->F8D0D768 [unknown_code_page]
ntkrnlpa.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x8061925E-->80619259 [ntkrnlpa.exe]
[2632]ZCfgSvc.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2632]ZCfgSvc.exe-->crypt32.dll-->advapi32.dll-->ControlService, Type: IAT modification 0x77A81144-->6F8A07DD [acgenral.dll]
[2632]ZCfgSvc.exe-->crypt32.dll-->advapi32.dll-->OpenServiceW, Type: IAT modification 0x77A8113C-->6F8A07BA [acgenral.dll]
[2632]ZCfgSvc.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2632]ZCfgSvc.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2632]ZCfgSvc.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0043F164-->5CB77774 [shimeng.dll]
[2632]ZCfgSvc.exe-->shell32.dll-->advapi32.dll-->ControlService, Type: IAT modification 0x7C9C1060-->6F8A07DD [acgenral.dll]
[2632]ZCfgSvc.exe-->shell32.dll-->advapi32.dll-->OpenServiceW, Type: IAT modification 0x7C9C1068-->6F8A07BA [acgenral.dll]
[2632]ZCfgSvc.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2632]ZCfgSvc.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[2832]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x0060353C-->FFFFEFF0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x00603554-->D6FF50FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegDeleteKeyW, Type: IAT modification 0x00603548-->E7F0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegEnumKeyExW, Type: IAT modification 0x0060354C-->8D50FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegOpenKeyA, Type: IAT modification 0x00603534-->61A015FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x00603544-->D6FF5000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegQueryValueExA, Type: IAT modification 0x00603538-->858D0060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x00603558-->60C36868 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegQueryValueW, Type: IAT modification 0x00603540-->60C37868 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x00603550-->FFEFF085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->BitBlt, Type: IAT modification 0x006036BC-->FFFFD5E4 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->CreateCompatibleBitmap, Type: IAT modification 0x00603698-->DDE4BD8D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->CreateCompatibleDC, Type: IAT modification 0x006036C0-->D3FF5057 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->CreateDIBSection, Type: IAT modification 0x0060367C-->ABF3FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->CreateFontIndirectW, Type: IAT modification 0x00603664-->000FF3E8 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->CreatePen, Type: IAT modification 0x006036C4-->00087D83 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->CreateSolidBrush, Type: IAT modification 0x006036CC-->EB0060C3 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->DeleteDC, Type: IAT modification 0x00603684-->6850FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->DeleteObject, Type: IAT modification 0x006036E8-->FF500060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->DPtoLP, Type: IAT modification 0x006036E4-->C37868FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->ExcludeClipRect, Type: IAT modification 0x006036B4-->61A01D8B [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetBkColor, Type: IAT modification 0x0060365C-->FFDFF085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetBkMode, Type: IAT modification 0x00603658-->8DD6FF50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetBrushOrgEx, Type: IAT modification 0x006036A8-->4815FF57 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetCurrentObject, Type: IAT modification 0x00603690-->858D0060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetDeviceCaps, Type: IAT modification 0x00603668-->A5836600 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetObjectW, Type: IAT modification 0x0060368C-->604C15FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetStockObject, Type: IAT modification 0x00603688-->00000104 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetStretchBltMode, Type: IAT modification 0x006036AC-->83006060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->GetTextColor, Type: IAT modification 0x00603660-->50016AFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->IntersectClipRect, Type: IAT modification 0x006036B8-->858D0060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->LineTo, Type: IAT modification 0x006036D8-->FFFFDFF0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->LPtoDP, Type: IAT modification 0x00603694-->FFFFDDE4 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->MoveToEx, Type: IAT modification 0x006036D4-->858D0060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->OffsetViewportOrgEx, Type: IAT modification 0x00603670-->0082B900 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->Polygon, Type: IAT modification 0x006036B0-->657503F8 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->Polyline, Type: IAT modification 0x00603680-->DDE4858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->Rectangle, Type: IAT modification 0x006036D0-->C37C6805 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->RestoreDC, Type: IAT modification 0x00603674-->C0330000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SaveDC, Type: IAT modification 0x00603678-->DDE6BD8D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SelectObject, Type: IAT modification 0x006036C8-->44680774 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SetBkColor, Type: IAT modification 0x00603654-->0060C35C [VyuAmrmEfIELC.exe]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SetBkMode, Type: IAT modification 0x006036E0-->FFDFF085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SetBrushOrgEx, Type: IAT modification 0x006036A0-->83667C74 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SetStretchBltMode, Type: IAT modification 0x006036A4-->7674003F [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SetTextColor, Type: IAT modification 0x006036DC-->8DD3FF50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->SetViewportOrgEx, Type: IAT modification 0x0060366C-->FFFFDDE4 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->gdi32.dll-->StretchBlt, Type: IAT modification 0x0060369C-->C085FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x00603458-->FFF7F0A5 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x0060348C-->1A6AFFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->CreateFileMappingA, Type: IAT modification 0x00603490-->FF006A50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->CreateFileW, Type: IAT modification 0x00603488-->E7F0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x006034C8-->8DD3FF50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->FlushFileBuffers, Type: IAT modification 0x00603454-->8366FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->FreeEnvironmentStringsA, Type: IAT modification 0x0060347C-->EFF2BD8D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->FreeEnvironmentStringsW, Type: IAT modification 0x00603474-->AB66ABF3 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x00603524-->FFFFF616 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetACP, Type: IAT modification 0x00603414-->6AFFFFF7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetCommandLineA, Type: IAT modification 0x006034E0-->3D8BD3FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetCPInfo, Type: IAT modification 0x0060341C-->E7F0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x006034E8-->F7F0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetEnvironmentStrings, Type: IAT modification 0x00603478-->C033CA8B [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetEnvironmentStringsW, Type: IAT modification 0x00603470-->00FFFFEF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetFileSize, Type: IAT modification 0x00603498-->F0858D00 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetFileType, Type: IAT modification 0x006034A8-->60C41868 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetLocaleInfoA, Type: IAT modification 0x00603430-->7506F47D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0060349C-->50FFFFE7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x006034EC-->006AFFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x006034C4-->FFFFF7F0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetOEMCP, Type: IAT modification 0x00603418-->D7FF5000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00603520-->E850FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetStartupInfoA, Type: IAT modification 0x006034A4-->FFFFE7F0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification 0x006034AC-->D6FF5000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetStringTypeA, Type: IAT modification 0x00603434-->F07D830A [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetStringTypeW, Type: IAT modification 0x00603438-->50840F01 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetSystemInfo, Type: IAT modification 0x00603444-->BA00FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetTickCount, Type: IAT modification 0x00603504-->50FFFFF7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x006034DC-->50FFFFF7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->HeapCreate, Type: IAT modification 0x00603468-->FFFFF7F2 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->HeapDestroy, Type: IAT modification 0x0060346C-->F0A58366 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x00603420-->8D50FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->InterlockedDecrement, Type: IAT modification 0x00603510-->FF50006A [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->InterlockedIncrement, Type: IAT modification 0x00603514-->F0858DD7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->IsBadCodePtr, Type: IAT modification 0x00603450-->E7F2BD8D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->IsBadReadPtr, Type: IAT modification 0x006034F8-->C41468FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->IsBadWritePtr, Type: IAT modification 0x006034FC-->FF500060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->IsProcessorFeaturePresent, Type: IAT modification 0x00603480-->016AFFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->LCMapStringA, Type: IAT modification 0x00603428-->0FE850FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x0060342C-->83FFFFF7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00603424-->FFF7F085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0060351C-->F7F0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->lstrcmpiW, Type: IAT modification 0x00603518-->50FFFFE7 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->lstrcmpW, Type: IAT modification 0x00603500-->F0858DD6 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->lstrcpyW, Type: IAT modification 0x0060350C-->FFFFF7F0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->lstrlenW, Type: IAT modification 0x00603528-->EFF0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->MapViewOfFile, Type: IAT modification 0x00603494-->60617C15 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->MulDiv, Type: IAT modification 0x00603508-->858DD3FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->MultiByteToWideChar, Type: IAT modification 0x006034CC-->FFF7F085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->RaiseException, Type: IAT modification 0x0060340C-->FF50FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->SetFilePointer, Type: IAT modification 0x0060343C-->66000001 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->SetHandleCount, Type: IAT modification 0x006034B0-->F7F0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->SetStdHandle, Type: IAT modification 0x0060344C-->C033CA8B [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x00603440-->E7F0A583 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x006034F0-->8DD7FF50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->TlsAlloc, Type: IAT modification 0x006034B4-->6850FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->TlsFree, Type: IAT modification 0x006034C0-->858D0060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->TlsGetValue, Type: IAT modification 0x006034B8-->00000400 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->TlsSetValue, Type: IAT modification 0x006034E4-->00606044 [VyuAmrmEfIELC.exe]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->UnmapViewOfFile, Type: IAT modification 0x00603484-->AB66ABF3 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification 0x00603404-->D6FF5000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->VirtualFree, Type: IAT modification 0x00603464-->BD8DC033 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->VirtualProtect, Type: IAT modification 0x0060352C-->7C68FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->VirtualQuery, Type: IAT modification 0x00603448-->000001FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x006034F4-->FFF7F085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->kernel32.dll-->WriteFile, Type: IAT modification 0x00603460-->CA8BAB66 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->BeginPaint, Type: IAT modification 0x00603578-->016AFFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ClientToScreen, Type: IAT modification 0x00603620-->6061A015 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ClipCursor, Type: IAT modification 0x006035E0-->016AFFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->CreateWindowExW, Type: IAT modification 0x006035B4-->8D50FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->DefWindowProcW, Type: IAT modification 0x0060356C-->60C35C68 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->DestroyWindow, Type: IAT modification 0x006035B8-->FFDFF085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->DispatchMessageW, Type: IAT modification 0x00603590-->0060C37C [VyuAmrmEfIELC.exe]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->DrawIcon, Type: IAT modification 0x006035D8-->D6FF5000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->DrawTextW, Type: IAT modification 0x0060364C-->F0858DD6 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->EndPaint, Type: IAT modification 0x00603574-->EFF0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->EnumChildWindows, Type: IAT modification 0x0060358C-->6805EB00 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->FillRect, Type: IAT modification 0x006035EC-->D5E4858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetClientRect, Type: IAT modification 0x006035AC-->D6FF5057 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetCursorPos, Type: IAT modification 0x00603618-->DFF0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetDC, Type: IAT modification 0x00603610-->6805EB00 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetDesktopWindow, Type: IAT modification 0x006035C0-->DFF0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetDoubleClickTime, Type: IAT modification 0x006035F4-->FF006A50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetIconInfo, Type: IAT modification 0x006035D4-->60C35C68 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetMessageW, Type: IAT modification 0x00603598-->FF50FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetParent, Type: IAT modification 0x00603644-->C36868FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetPropW, Type: IAT modification 0x00603584-->07740008 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetSystemMetrics, Type: IAT modification 0x006035E4-->1072E850 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetUpdateRect, Type: IAT modification 0x006035F0-->166AFFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetWindow, Type: IAT modification 0x006035A4-->858D0060 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetWindowDC, Type: IAT modification 0x006035C4-->6868FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->GetWindowRect, Type: IAT modification 0x006035E8-->016A0000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->InflateRect, Type: IAT modification 0x00603634-->858D50FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->InvalidateRect, Type: IAT modification 0x006035B0-->D5E4858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->IsWindow, Type: IAT modification 0x00603604-->7D83D3FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->IsWindowVisible, Type: IAT modification 0x0060357C-->10DAE850 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->KillTimer, Type: IAT modification 0x00603628-->57FFFFDF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->LoadCursorW, Type: IAT modification 0x006035D0-->FFFFDFF0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->LoadImageW, Type: IAT modification 0x006035BC-->D6FF50FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->LoadStringW, Type: IAT modification 0x00603600-->50FFFFD5 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->MoveWindow, Type: IAT modification 0x00603608-->07740008 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->OffsetRect, Type: IAT modification 0x0060360C-->60C34468 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->PostMessageW, Type: IAT modification 0x00603624-->F0858D00 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->PostQuitMessage, Type: IAT modification 0x006035DC-->DFF0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->PtInRect, Type: IAT modification 0x00603630-->FFD5E485 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->RegisterClassExW, Type: IAT modification 0x00603588-->60C34468 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ReleaseCapture, Type: IAT modification 0x0060359C-->6061A015 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ReleaseDC, Type: IAT modification 0x00603614-->0060C37C [VyuAmrmEfIELC.exe]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ScreenToClient, Type: IAT modification 0x0060361C-->FF50FFFF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SendMessageW, Type: IAT modification 0x0060363C-->8DD6FF50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetCapture, Type: IAT modification 0x006035A0-->C378BF00 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetCursor, Type: IAT modification 0x006035C8-->500060C3 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetFocus, Type: IAT modification 0x006035F8-->60617C15 [unknown_code_page]


[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetParent, Type: IAT modification 0x006035FC-->E4858D00 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetPropW, Type: IAT modification 0x00603580-->7D830000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetTimer, Type: IAT modification 0x0060362C-->8DD6FF50 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->SetWindowPos, Type: IAT modification 0x00603640-->FFDFF085 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ShowWindow, Type: IAT modification 0x00603638-->FFFFDFF0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->TranslateMessage, Type: IAT modification 0x00603594-->DFF0858D [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->UnregisterClassW, Type: IAT modification 0x006035A8-->FFFFDFF0 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->ValidateRect, Type: IAT modification 0x006035CC-->858DD6FF [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->WindowFromPoint, Type: IAT modification 0x00603570-->D6FF5000 [unknown_code_page]
[3852]VyuAmrmEfIELC.exe-->user32.dll-->wsprintfW, Type: IAT modification 0x00603648-->FF500060 [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x0040353C-->68F0458B [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x00403554-->8D016AC0 [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegDeleteKeyW, Type: IAT modification 0x00403548-->E80004EF [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegEnumKeyExW, Type: IAT modification 0x0040354C-->000182A1 [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegOpenKeyA, Type: IAT modification 0x00403534-->000000D8 [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x00403544-->2C888D50 [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegQueryValueExA, Type: IAT modification 0x00403538-->50EC75FF [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x00403558-->3DA2D44D [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegQueryValueW, Type: IAT modification 0x00403540-->00008066 [unknown_code_page]
[4076]16375588.exe-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x00403550-->950FC085 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->BitBlt, Type: IAT modification 0x004036BC-->56D415FF [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->CreateCompatibleBitmap, Type: IAT modification 0x00403698-->50004617 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->CreateCompatibleDC, Type: IAT modification 0x004036C0-->458A0044 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->CreateDIBSection, Type: IAT modification 0x0040367C-->51E850FF [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->CreateFontIndirectW, Type: IAT modification 0x00403664-->5300021E [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->CreatePen, Type: IAT modification 0x004036C4-->4D8D532F [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->CreateSolidBrush, Type: IAT modification 0x004036CC-->56D415FF [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->DeleteDC, Type: IAT modification 0x00403684-->408B10C4 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->DeleteObject, Type: IAT modification 0x004036E8-->288D8B00 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->DPtoLP, Type: IAT modification 0x004036E4-->4456D815 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->ExcludeClipRect, Type: IAT modification 0x004036B4-->FFFFFEE4 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetBkColor, Type: IAT modification 0x0040365C-->FFA00D8B [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetBkMode, Type: IAT modification 0x00403658-->000220C7 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetBrushOrgEx, Type: IAT modification 0x004036A8-->02B622E8 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetCurrentObject, Type: IAT modification 0x00403690-->56DCA105 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetDeviceCaps, Type: IAT modification 0x00403668-->460FDC68 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetObjectW, Type: IAT modification 0x0040368C-->75C33B06 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetStockObject, Type: IAT modification 0x00403688-->FC45C604 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetStretchBltMode, Type: IAT modification 0x004036AC-->10C48300 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->GetTextColor, Type: IAT modification 0x00403660-->11E80045 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->IntersectClipRect, Type: IAT modification 0x004036B8-->08FC45C6 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->LineTo, Type: IAT modification 0x004036D8-->685059D6 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->LPtoDP, Type: IAT modification 0x00403694-->DC680044 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->MoveToEx, Type: IAT modification 0x004036D4-->FF004551 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->OffsetViewportOrgEx, Type: IAT modification 0x00403670-->2AE80046 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->Polygon, Type: IAT modification 0x004036B0-->8D8D016A [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->Polyline, Type: IAT modification 0x00403680-->83000232 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->Rectangle, Type: IAT modification 0x004036D0-->0C680044 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->RestoreDC, Type: IAT modification 0x00403674-->8D000234 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SaveDC, Type: IAT modification 0x00403678-->FFFEE485 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SelectObject, Type: IAT modification 0x004036C8-->C44588C4 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SetBkColor, Type: IAT modification 0x00403654-->E8004552 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SetBkMode, Type: IAT modification 0x004036E0-->FFC44D8D [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SetBrushOrgEx, Type: IAT modification 0x004036A0-->7868FFFF [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SetStretchBltMode, Type: IAT modification 0x004036A4-->50004552 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->SetTextColor, Type: IAT modification 0x004036DC-->0045510C [16375588.exe]
[4076]16375588.exe-->gdi32.dll-->SetViewportOrgEx, Type: IAT modification 0x0040366C-->17DC6800 [unknown_code_page]
[4076]16375588.exe-->gdi32.dll-->StretchBlt, Type: IAT modification 0x0040369C-->FF24858D [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x00403458-->5353F045 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x0040348C-->D815FFD4 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->CreateFileMappingA, Type: IAT modification 0x00403490-->8D004456 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->CreateFileW, Type: IAT modification 0x00403488-->4D8D0045 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x004034C8-->C6D44D8D [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->FlushFileBuffers, Type: IAT modification 0x00403454-->8B004456 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->FreeEnvironmentStringsA, Type: IAT modification 0x0040347C-->45529C68 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->FreeEnvironmentStringsW, Type: IAT modification 0x00403474-->15FFD445 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x00403524-->0575C33B [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetACP, Type: IAT modification 0x00403414-->D4458D00 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetCommandLineA, Type: IAT modification 0x004034E0-->50D015FF [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetCPInfo, Type: IAT modification 0x0040341C-->45C65000 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x004034E8-->4458FC15 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetEnvironmentStrings, Type: IAT modification 0x00403478-->004456D4 [16375588.exe]
[4076]16375588.exe-->kernel32.dll-->GetEnvironmentStringsW, Type: IAT modification 0x00403470-->88D44D8D [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetFileSize, Type: IAT modification 0x00403498-->5000460F [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetFileType, Type: IAT modification 0x004034A8-->0575C33B [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetLocaleInfoA, Type: IAT modification 0x00403430-->8B004456 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0040349C-->03FC45C6 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification 0x004034EC-->EC458900 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x004034C4-->016A0001 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetOEMCP, Type: IAT modification 0x00403418-->460FB8B9 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00403520-->04408BFF [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetStartupInfoA, Type: IAT modification 0x004034A4-->04408BFF [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification 0x004034AC-->4456DCA1 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetStringTypeA, Type: IAT modification 0x00403434-->6850F04D [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetStringTypeW, Type: IAT modification 0x00403438-->0000800A [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetSystemInfo, Type: IAT modification 0x00403444-->0001860B [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetTickCount, Type: IAT modification 0x00403504-->4D8D5750 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x004034DC-->53000000 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->HeapCreate, Type: IAT modification 0x00403468-->000185E7 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->HeapDestroy, Type: IAT modification 0x0040346C-->532F458A [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification 0x00403420-->49E802FC [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->InterlockedDecrement, Type: IAT modification 0x00403510-->B8B9D445 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->InterlockedIncrement, Type: IAT modification 0x00403514-->5000460F [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->IsBadCodePtr, Type: IAT modification 0x00403450-->D415FF01 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->IsBadReadPtr, Type: IAT modification 0x004034F8-->15FFD445 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->IsBadWritePtr, Type: IAT modification 0x004034FC-->004456D4 [16375588.exe]
[4076]16375588.exe-->kernel32.dll-->IsProcessorFeaturePresent, Type: IAT modification 0x00403480-->59D6FF00 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->LCMapStringA, Type: IAT modification 0x00403428-->C33B0440 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x0040342C-->DCA10575 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00403424-->8BFFFFE4 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0040351C-->FFE34FE8 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->lstrcmpiW, Type: IAT modification 0x00403518-->04FC45C6 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->lstrcmpW, Type: IAT modification 0x00403500-->59D6FF57 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->lstrcpyW, Type: IAT modification 0x0040350C-->8D004456 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->lstrlenW, Type: IAT modification 0x00403528-->4456DCA1 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->MapViewOfFile, Type: IAT modification 0x00403494-->B8B9D445 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->MulDiv, Type: IAT modification 0x00403508-->D815FFD4 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->MultiByteToWideChar, Type: IAT modification 0x004034CC-->FF01FC45 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->RaiseException, Type: IAT modification 0x0040340C-->FFD44D8D [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->SetFilePointer, Type: IAT modification 0x0040343C-->EF2CC181 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->SetHandleCount, Type: IAT modification 0x004034B0-->458B5000 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->SetStdHandle, Type: IAT modification 0x0040344C-->FC45C6D4 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x00403440-->E8530004 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x004034F0-->532F458A [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->TlsAlloc, Type: IAT modification 0x004034B4-->800868F0 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->TlsFree, Type: IAT modification 0x004034C0-->858DE800 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->TlsGetValue, Type: IAT modification 0x004034B8-->8D530000 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->TlsSetValue, Type: IAT modification 0x004034E4-->FF500044 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->UnmapViewOfFile, Type: IAT modification 0x00403484-->529C6850 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification 0x00403404-->685059D6 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->VirtualFree, Type: IAT modification 0x00403464-->E80004EF [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->VirtualProtect, Type: IAT modification 0x0040352C-->530A6A00 [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->VirtualQuery, Type: IAT modification 0x00403448-->4D8D016A [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x004034F4-->88D44D8D [unknown_code_page]
[4076]16375588.exe-->kernel32.dll-->WriteFile, Type: IAT modification 0x00403460-->2C888D00 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->BeginPaint, Type: IAT modification 0x00403578-->35FF5353 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->ClientToScreen, Type: IAT modification 0x00403620-->016A53E4 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->ClipCursor, Type: IAT modification 0x004035E0-->4D8B0000 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->CreateWindowExW, Type: IAT modification 0x004035B4-->1C458D30 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->DefWindowProcW, Type: IAT modification 0x0040356C-->00ABC1E8 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->DestroyWindow, Type: IAT modification 0x004035B8-->15FF5053 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->DispatchMessageW, Type: IAT modification 0x00403590-->4E752C5D [unknown_code_page]
[4076]16375588.exe-->user32.dll-->DrawIcon, Type: IAT modification 0x004035D8-->FC45C6F0 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->DrawTextW, Type: IAT modification 0x0040364C-->45FFA00D [unknown_code_page]
[4076]16375588.exe-->user32.dll-->EndPaint, Type: IAT modification 0x00403574-->5353036A [unknown_code_page]
[4076]16375588.exe-->user32.dll-->EnumChildWindows, Type: IAT modification 0x0040358C-->3800012D [unknown_code_page]
[4076]16375588.exe-->user32.dll-->FillRect, Type: IAT modification 0x004035EC-->53016AF0 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetClientRect, Type: IAT modification 0x004035AC-->004456CC [16375588.exe]
[4076]16375588.exe-->user32.dll-->GetCursorPos, Type: IAT modification 0x00403618-->C0850044 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetDC, Type: IAT modification 0x00403610-->2070FF2C [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetDesktopWindow, Type: IAT modification 0x004035C0-->8D10EC83 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetDoubleClickTime, Type: IAT modification 0x004035F4-->44591015 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetIconInfo, Type: IAT modification 0x004035D4-->4D8B0044 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetMessageW, Type: IAT modification 0x00403598-->CC8B10EC [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetParent, Type: IAT modification 0x00403644-->570015FF [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetPropW, Type: IAT modification 0x00403584-->E84D8B00 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetSystemMetrics, Type: IAT modification 0x004035E4-->A972E8F0 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetUpdateRect, Type: IAT modification 0x004035F0-->FF2070FF [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetWindow, Type: IAT modification 0x004035A4-->D415FF01 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetWindowDC, Type: IAT modification 0x004035C4-->CC8B0C45 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->GetWindowRect, Type: IAT modification 0x004035E8-->458B0000 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->InflateRect, Type: IAT modification 0x00403634-->5353F04D [unknown_code_page]
[4076]16375588.exe-->user32.dll-->InvalidateRect, Type: IAT modification 0x004035B0-->FFEC4D8B [unknown_code_page]
[4076]16375588.exe-->user32.dll-->IsWindow, Type: IAT modification 0x00403604-->89C33B08 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->IsWindowVisible, Type: IAT modification 0x0040357C-->00445488 [16375588.exe]
[4076]16375588.exe-->user32.dll-->KillTimer, Type: IAT modification 0x00403628-->8B12EB00 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->LoadCursorW, Type: IAT modification 0x004035D0-->56BC15FF [unknown_code_page]
[4076]16375588.exe-->user32.dll-->LoadImageW, Type: IAT modification 0x004035BC-->004456D0 [16375588.exe]
[4076]16375588.exe-->user32.dll-->LoadStringW, Type: IAT modification 0x00403600-->408B0004 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->MoveWindow, Type: IAT modification 0x00403608-->3174F045 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->OffsetRect, Type: IAT modification 0x0040360C-->752C5D38 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->PostMessageW, Type: IAT modification 0x00403624-->00E84AE8 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->PostQuitMessage, Type: IAT modification 0x004035DC-->C654E801 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->PtInRect, Type: IAT modification 0x00403630-->8B00006D [unknown_code_page]
[4076]16375588.exe-->user32.dll-->RegisterClassExW, Type: IAT modification 0x00403588-->97E85353 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->ReleaseCapture, Type: IAT modification 0x0040359C-->53E86589 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->ReleaseDC, Type: IAT modification 0x00403614-->590015FF [unknown_code_page]
[4076]16375588.exe-->user32.dll-->ScreenToClient, Type: IAT modification 0x0040361C-->4D8B0D75 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SendMessageW, Type: IAT modification 0x0040363C-->1D885300 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetCapture, Type: IAT modification 0x004035A0-->88EC4D89 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetCursor, Type: IAT modification 0x004035C8-->50EC6589 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetFocus, Type: IAT modification 0x004035F8-->F0458B00 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetParent, Type: IAT modification 0x004035FC-->EF14808B [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetPropW, Type: IAT modification 0x00403580-->039943E8 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetTimer, Type: IAT modification 0x0040362C-->7AE8F04D [unknown_code_page]
[4076]16375588.exe-->user32.dll-->SetWindowPos, Type: IAT modification 0x00403640-->00462038 [16375588.exe]
[4076]16375588.exe-->user32.dll-->ShowWindow, Type: IAT modification 0x00403638-->007DC1E8 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->TranslateMessage, Type: IAT modification 0x00403594-->831C458A [unknown_code_page]
[4076]16375588.exe-->user32.dll-->UnregisterClassW, Type: IAT modification 0x004035A8-->A1004456 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->ValidateRect, Type: IAT modification 0x004035CC-->05FC45C6 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->WindowFromPoint, Type: IAT modification 0x00403570-->F04D8B00 [unknown_code_page]
[4076]16375588.exe-->user32.dll-->wsprintfW, Type: IAT modification 0x00403648-->8B590044 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
mrbaggins is offline  
Old 06-08-2011, 07:44 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Nice work!

We can proceed now. Note - any of the following tools can be executed same as you did for dds.scr and RootkitUnhooker. Download to a flash drive and run them from there.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

Regarding AVG - Due to recent changes in AVG and how it interacts with ComboFix, before running ComboFix, AVG must be uninstalled via Start>Control Panel>Add or Remove programs panel.


If you have difficulty uninstalling AVG, download AVG's uninstaller from this page.


Or you can download Opswat AppRemover for AVG. The download for the AVG uninstaller can be found here Applications Supported for Uninstallation and Removal by OPSWAT's AppRemover.





====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-09-2011, 02:44 PM   #7
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Ok, ComboFix has been run and seems to have done it's job (log below). It's pretty amazing - it's like it's brought the computer back from the dead! There are a few changes - i.e. most program shortcuts on the start menu are empty (although I think most of them are still accessible through program files) - but it's recovered all important files etc. Very impressed! Is there anything else to do now, or is it just a case of personalizing, restoring file locations etc?

Thanks!

ComboFix 11-06-06.02 - User 09/06/2011 2217.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.202 [GMT -7:00]
Running from: d:\tech support forums\ComboFix.exe
.
/wow section - STAGE 5
Access is denied.
Access is denied.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
The system cannot find the path specified.
'.d.a.1.a.3.f.f.' is not recognized as an internal or external command
'.0.\\.' is not recognized as an internal or external command
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
grep: temp2401: No such file or directory
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
.
/wow section - STAGE 32A
_____ _ _
_ __ _____ _| ___(_)_ __ __| |
| '_ \ / _ \ \ / / |_ | | '_ \ / _` |
| |_) | __/\ V /| _| | | | | | (_| |
| .__/ \___| \_/ |_| |_|_| |_|\__,_|
|_| by Billy Robert O'Neal III
Version 1021
Distributed under the Boost Software License, Version 1.0.
https://www.boost.org/LICENSE_1_0.txt
pevFind contains some code from Info-ZIP, used with permission.
In accordance with Info-ZIP's License, it can be found at
https://billy-oneal.com/infozip.txt
Filename regular expressions library is
Copyright (C)1997-1998 by David R. Tribble, all rights reserved.
.
Access is denied.
The system cannot find the path specified.
'.d.a.1.a.3.f.f.' is not recognized as an internal or external command
'.0.\\.' is not recognized as an internal or external command
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
grep: temp2401: No such file or directory
Access is denied.
The system cannot find the file Goldun.dat.
The system cannot find the file Vundonames.dat.
Could Not Find c:\combofix\Vundonames.dat
Access is denied.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\16375588.exe
c:\documents and settings\All Users\Application Data\VyuAmrmEfIELC.exe
c:\documents and settings\User\Desktop\Windows XP Recovery.lnk
c:\documents and settings\User\Start Menu\Programs\Windows XP Recovery
c:\documents and settings\User\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
c:\documents and settings\User\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-09 03:02 . 2011-06-09 03:02 7168 ---ha-w- c:\windows\system32\4DED6FC3.exe
2011-06-06 21:00 . 2011-06-06 21:00 -------- d--h--w- c:\documents and settings\Administrator
2011-05-28 00:27 . 2011-05-28 00:27 -------- d--h--w- c:\windows\PIF
2011-05-26 18:02 . 2011-05-26 18:02 -------- d--h--w- c:\documents and settings\User\Application Data\Vodafone
2011-05-26 18:02 . 2011-05-26 18:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\InstallShield
2011-05-26 18:01 . 2011-05-26 18:01 -------- d--h--w- c:\documents and settings\LocalService\Application Data\Vodafone
2011-05-26 18:01 . 2008-12-09 00:21 7680 ---ha-r- c:\windows\system32\drivers\massfilter.sys
2011-05-26 18:00 . 2011-05-26 18:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Vodafone
2011-05-26 17:59 . 2011-05-26 17:59 -------- d--h--w- c:\documents and settings\User\Local Settings\Application Data\{A51078CA-7A85-4433-8D2D-35FB5D9A9609}
2011-05-19 16:14 . 2011-06-02 16:12 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 21:34 . 2011-04-28 21:34 53816 ---ha-w- c:\windows\system32\drivers\RapportKELL.sys
2011-04-06 23:20 . 2011-04-06 23:20 91424 ---ha-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ---ha-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ---ha-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 23:08 110592 ---ha-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1389:TCP"= 1389:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [28/04/2011 14:34 53816]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [02/06/2011 10:20 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [28/04/2011 14:34 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [28/04/2011 14:34 158904]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [27/03/2010 14:50 1737464]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [28/04/2011 14:34 870200]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\24413\RapportIaso.sys [15/04/2011 09:02 18872]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/06/2010 15:26 38224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\c67xtk2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Nectar Search Toolbar: {841468a1-d7f4-4bd3-84e6-bb0f13a06c64} - %profile%\extensions\{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-VyuAmrmEfIELC - c:\documents and settings\All Users\Application Data\VyuAmrmEfIELC.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-09 22:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-06-09 22:25:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-10 05:25
.
Pre-Run: 60,734,996,480 bytes free
Post-Run: 60,777,381,888 bytes free
.
- - End Of File - - 1ED812ECAD679DAC6F3CC0530C765F95
mrbaggins is offline  
Old 06-09-2011, 07:27 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi mrbaggins,

It is an amazing tool, but we have a bit more to do.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/forums/f50/trojan-virus-appears-to-have-deleted-whole-hard-drive-docs-and-program-files-578891.html#post3302528

Collect::
c:\windows\system32\4DED6FC3.exe

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix will prompt you that an update is available - please allow it to update.


When finished, it shall produce a log for you. Post the C:\ComboFix.txt in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

======================================

Next, it's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
    *]Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic, along with the C:\ComboFix.txt

======================================================

Quote:
most program shortcuts on the start menu are empty
Please explain in more detail. Which ones appear emtpy?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-10-2011, 11:13 AM   #9
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Hi. ComboFix went through fine again, managed to update etc. The log's copied in below.

I had less luck with the online scanner though. It installed okay, but pretty much as soon as I pressed 'scan', it said it couldn't detect the database (wasn't the exact wording), asking if the proxy was configured. And now the internet as a whole doesn't seem to be working on that computer - although it was after I ran the first ComboFix yesterday.

Quote:
Originally Posted by Ried View Post
Please explain in more detail. Which ones appear emtpy?
The original Microsoft ones, like 'Accesories' seem to be in tact, but anything I've installed myself - such as iTunes, CCleaner etc (the majority of them, basically) - are showing as empty.

Cheers!

ComboFix 11-06-06.02 - User 10/06/2011 9:49.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.76 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
file zipped: c:\windows\system32\4DED6FC3.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\4DED6FC3.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-06 21:00 . 2011-06-06 21:00 -------- d-----w- c:\documents and settings\Administrator
2011-05-28 00:27 . 2011-05-28 00:27 -------- d-----w- c:\windows\PIF
2011-05-26 18:02 . 2011-05-26 18:02 -------- d-----w- c:\documents and settings\User\Application Data\Vodafone
2011-05-26 18:02 . 2011-05-26 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2011-05-26 18:01 . 2011-05-26 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\Vodafone
2011-05-26 18:01 . 2008-12-09 00:21 7680 ----a-r- c:\windows\system32\drivers\massfilter.sys
2011-05-26 18:00 . 2011-05-26 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Vodafone
2011-05-26 17:59 . 2011-05-26 17:59 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\{A51078CA-7A85-4433-8D2D-35FB5D9A9609}
2011-05-19 16:14 . 2011-06-02 16:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 21:34 . 2011-04-28 21:34 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 23:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1389:TCP"= 1389:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [28/04/2011 14:34 53816]
R1 RapportCerberus_26762;RapportCerberus_26762;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [02/06/2011 10:20 57144]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [28/04/2011 14:34 66360]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [28/04/2011 14:34 158904]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [27/03/2010 14:50 1737464]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [28/04/2011 14:34 870200]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\24413\RapportIaso.sys [15/04/2011 09:02 18872]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/06/2010 15:26 38224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\c67xtk2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Nectar Search Toolbar: {841468a1-d7f4-4bd3-84e6-bb0f13a06c64} - %profile%\extensions\{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-10 10:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3916)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-06-10 10:04:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-10 17:04
ComboFix2.txt 2011-06-10 05:25
.
Pre-Run: 60,661,538,816 bytes free
Post-Run: 60,627,525,632 bytes free
.
- - End Of File - - 351C7B51D17FA6D2B084C9E23B95D2ED
Upload was successful
mrbaggins is offline  
Old 06-10-2011, 02:02 PM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



I'm sorry to ask so many questions, but I need to understand exactly which section you're referring to. Are they empty when you access them through Start>All Programs, or do you mean in the Start Menu?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-11-2011, 02:45 AM   #11
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Quote:
Originally Posted by Ried View Post
I'm sorry to ask so many questions, but I need to understand exactly which section you're referring to. Are they empty when you access them through Start>All Programs, or do you mean in the Start Menu?
It's fine Ask as many questions as you like. You're doing me a big favour by helping me with this, and I really appreciate it.

The icons are empty when I access them through Start>All Programs. The Start menu itself just features the very basic options, i.e. Documents, Computer, Control Panel etc. The only installed program it seems to remember is the '3' mobile broadband icon.

I'm away this weekend, but will be able to check and respond to this thread. When I get home, I could send you a screenshot of the start menu programs if that's easier?

Do you think the issue could be connected to ESET and the internet (mostly) not working?

Thanks.
mrbaggins is offline  
Old 06-11-2011, 07:52 AM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thanks. :)

No, this has nothing to do with Eset not working, and please explain what you mean by internet not working sometimes.

For the empty All Programs, see if this Hotfix by Microsoft helps any When you point to "All Programs" on a Windows XP-based computer, the list of programs does not appear, or the list of programs is empty. If not, reinstalling the programs will bring that back for you.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-13-2011, 09:28 AM   #13
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Hi. Internet seems to be working okay now (although Tech Support Forums has been pretty slow). I managed to run ESET today on a better web connection, which found 4 threats, detailed in the following log:

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\16375588.exe.vir a variant of Win32/Kryptik.OSJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\VyuAmrmEfIELC.exe.vir a variant of Win32/Kryptik.OSJ trojan
C:\System Volume Information\_restore{70DF0FE7-1C74-43F6-861B-ADDBF44634BE}\RP2\A0016509.exe a variant of Win32/Kryptik.OSJ trojan
C:\System Volume Information\_restore{70DF0FE7-1C74-43F6-861B-ADDBF44634BE}\RP2\A0016510.exe a variant of Win32/Kryptik.OSJ trojan

I'll give the Microsoft Hotfix a go when this is sorted. Still, making progress. Thanks for your continued support!
mrbaggins is offline  
Old 06-13-2011, 06:10 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome, :)

Eset's findings are backups created during the course of this fix, and the items located in C:\System Volume Information\, is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. We'll be clearing both of those areas when we're through here.

Please try the Hotfix.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-14-2011, 05:23 AM   #15
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Hi,

The Hotfix didn't work. It said I was running a newer version of the service pack than it was intended for. But I went through the start menu and re-added all the shortcuts manually, so it's no longer an issue. Everything seems to be running pretty much normally now. Presume there are still a few bits that need doing?

Cheers
mrbaggins is offline  
Old 06-14-2011, 05:27 AM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Good work, mrbaggins.

All that's left now is to clean up. Please do not skip this step as it will implement important cleanup procedures, as well as reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - Microsoft Windows Update
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.


  • Scan here OSI - Consumer - Products for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt Automatically Backup your Windows Vista Registry daily using ERUNT - The Winhelponline Blog


    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-16-2011, 05:28 AM   #17
Registered Member
 
Join Date: Jun 2010
Posts: 36
OS: Win 8.1



Hi. All seems to be sorted, and will take a look at those links. Thanks so much for your help - really appreciated it. These forums, and the kind volunteers such as yourself, are a godsend!
mrbaggins is offline  
Old 06-16-2011, 07:37 AM   #18
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're most welcome, and it's been a pleasure.

Best wishes to you.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:31 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts