wormfishin Posted October 9, 2010 ID:324921 Share Posted October 9, 2010 Everything seems fine on the surface but I'm getting svchost crashes.Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4748Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/8/2010 11:14:35 PMmbam-log-2010-10-08 (23-14-35).txtScan type: Quick scanObjects scanned: 149341Time elapsed: 8 minute(s), 21 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)DDS (Ver_10-10-05.01) - NTFSx86 Run by steve at 23:01:35.14 on Fri 10/08/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.26Attach.zip Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:324965 Share Posted October 9, 2010 Hello wormfishin!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Step 1Please, uninstall the following applications:Adobe Reader 8You can read, how to do this here:Windows XPWindows VistaWindows 7Step 2Your database version of Malwarebytes' Anti-Malware is 4748 , but the current is 4784 , so please:Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.In your next reply, please include these log(s):Malwarebytes' Anti-Malware loga new fresh DDS log only Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:324994 Share Posted October 9, 2010 Please post your entire DDS log file. Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:324998 Share Posted October 9, 2010 Sorry about that, When I try to post I get a "Could not connect to server", but it is actually posting, sorry about the double post I'll start posting from another machine.DDS (Ver_10-10-05.01) - NTFSx86 Run by steve at 8:28:41.77 on Sat 10/09/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2698 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\S24EvMon.exesvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exesvchost.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\System32\digtizer.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\WINDOWS\system32\o2flash.exeC:\Program Files\Softex\OmniPass\Omniserv.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exec:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\Program Files\Softex\OmniPass\OPXPApp.exeC:\WINDOWS\SYSTEM32\WISPTIS.EXEC:\WINDOWS\System32\tabbtnu.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exeC:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exeC:\Program Files\Fingerprint Sensor\ATSwpNav.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\steve\My Documents\Downloads\dds.com============== Pseudo HJT Report ===============uStart Page = hxxp://google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuInternet Connection Wizard,ShellNext = hxxp://us.fujitsu.com/computersuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exemRun: [TabletWizard] c:\windows\help\SplshWrp.exemRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resumemRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exemRun: [indicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exemRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exemRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -runmRun: [AGRSMMSG] AGRSMMSG.exeuPolicies-explorer: NoWindowsUpdate = 0 (0x0)uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)mPolicies-explorer: NoWindowsUpdate = 0 (0x0)IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabTCP: {158899A1-6F1E-4358-95BA-5D51D380A65C} = 68.28.242.91 68.28.250.92Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dllNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLNotify: avgrsstarter - avgrsstx.dllNotify: igfxcui - igfxdev.dllNotify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dllNotify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dllNotify: TabBtnWL - TabBtnWL.dllNotify: tpgwlnotify - tpgwlnot.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\yo1b15j8.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialFF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101059100&s=FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\---- FIREFOX POLICIES ----FF - user.js: browser.search.selectedEngine - GoogleFF - user.js: browser.search.order.1 - GoogleFF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101059100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); ============= SERVICES / DRIVERS ===============R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-4-19 8960]R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-4-19 10496]R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-4-19 7168]R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-3 36640]R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-11 335240]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-11 27784]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-11 108552]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-11 908056]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-11 297752]R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-4-19 17920]R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-4-19 4864]R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-4-19 30976]R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-19 36608]R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-3-8 92550]S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2007-4-18 14208]=============== Created Last 30 ================2010-10-09 11:32:13 -------- d-----w- c:\windows\system32\appmgmt2010-10-09 02:20:35 0 ----a-w- c:\documents and settings\steve\defogger_reenable2010-10-08 16:55:16 -------- d-----w- c:\program files\ESET2010-10-08 15:28:13 -------- d-sh--w- c:\documents and settings\steve\PrivacIE2010-10-08 15:10:47 -------- d-----w- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com2010-10-08 15:10:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2010-10-08 15:09:55 -------- d-----w- c:\program files\SUPERAntiSpyware2010-10-06 14:12:49 0 ----a-w- c:\windows\system32\drivers\avg\commonpriv.log.lock2010-10-06 13:25:55 -------- d-----w- c:\windows\system32\oldcatroot22010-10-06 13:24:36 -------- d-----w- c:\windows\RegBackups2010-10-06 13:05:57 -------- d-sh--w- c:\documents and settings\steve\IECompatCache2010-10-06 02:47:34 -------- d-----w- c:\windows\system32\scripting2010-10-06 02:47:34 -------- d-----w- c:\windows\system32\en2010-10-06 02:47:34 -------- d-----w- c:\windows\system32\bits2010-10-06 02:47:34 -------- d-----w- c:\windows\l2schemas2010-10-06 02:43:00 -------- d-----w- c:\windows\network diagnostic2010-10-06 02:32:12 -------- d-sh--w- c:\documents and settings\steve\IETldCache2010-10-06 02:29:22 -------- dc-h--w- c:\windows\ie82010-10-05 18:04:35 -------- d-sha-r- C:\cmdcons2010-10-05 17:23:23 98816 ----a-w- c:\windows\sed.exe2010-10-05 17:23:23 77312 ----a-w- c:\windows\MBR.exe2010-10-05 17:23:23 256512 ----a-w- c:\windows\PEV.exe2010-10-05 17:23:23 161792 ----a-w- c:\windows\SWREG.exe2010-09-28 18:18:12 -------- d-----w- c:\docume~1\steve\applic~1\Malwarebytes2010-09-28 18:18:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-09-28 18:18:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-09-28 18:18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-09-28 18:18:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-09-28 12:52:29 -------- d-----w- c:\windows\system32\wbem\repository\FS2010-09-28 12:52:29 -------- d-----w- c:\windows\system32\wbem\Repository2010-09-27 20:22:06 -------- d-----w- c:\docume~1\steve\applic~1\Genieo2010-09-10 13:46:31 -------- d-----w- c:\docume~1\steve\locals~1\applic~1\Mozilla==================== Find3M ================================= FINISH: 8:30:39.18 =============== Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325002 Share Posted October 9, 2010 Thanks!Don't worry, I already report to our moderators.Now:**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325035 Share Posted October 9, 2010 I ran it. It detected a rootkit and rebooted. When it came back uo I see my desktop background but nothing else. The system doesn't look to be doing anything, its not locked up the mouse moves but I. Didn't try clicking or hitting anything on the keyboard. Its been 30 minutes or so like this. Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325093 Share Posted October 9, 2010 Start the computer in Safe Mode with Networking.http://www.microsoft.com/resources/documen...t_failsafe.mspx Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325096 Share Posted October 9, 2010 OK it ran, file was too large to paste inline.combo_fix.txt Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325103 Share Posted October 9, 2010 Open Notepad and copy and paste the text in the code box below into it:File::c:\windows\Jmicevuladi.binc:\windows\Ydiyucowo.datRenV::c:\program files\AVG\AVG8\avgtray .exec:\program files\Common Files\Microsoft Shared\Ink\tabtip .exec:\program files\CyberLink\PowerDVD\PDVDServ .exec:\program files\Fujitsu\BtnHnd\BtnHnd .exec:\program files\Fujitsu\fjdvrupd\fjdvrupd .exec:\program files\Fujitsu\FUJ02E3\FUJ02E3 .exec:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty .exec:\program files\Fujitsu\SSUtility\FJSSDMN .exec:\program files\Fujitsu\Utils\FjStrtAp .exec:\program files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX .exec:\program files\Intel\Wireless\Bin\ifrmewrk .exec:\program files\Intel\Wireless\Bin\ZCfgSvc .exec:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool .exec:\program files\Picasa2\PicasaMediaDetector .exec:\program files\Softex\OmniPass\scureapp .exec:\program files\Synaptics\SynTP\SynTPEnh .exec:\windows\Help\SplshWrp .exeSave the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325111 Share Posted October 9, 2010 ComboFix 10-10-09.01 - steve 10/09/2010 15:40:38.4.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2804 [GMT -4:00]Running from: c:\documents and settings\steve\Desktop\Combo-Fix.exeCommand switches used :: c:\documents and settings\steve\Desktop\CFScript.txtAV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}FILE ::"c:\windows\Jmicevuladi.bin""c:\windows\Ydiyucowo.dat".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\Jmicevuladi.binc:\windows\Ydiyucowo.dat.((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 ))))))))))))))))))))))))))))))).2010-10-08 16:55 . 2010-10-08 16:55 -------- d-----w- c:\program files\ESET2010-10-08 15:28 . 2010-10-08 15:28 -------- d-sh--w- c:\documents and settings\steve\PrivacIE2010-10-08 15:12 . 2010-10-08 15:12 63488 ----a-w- c:\documents and settings\steve\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll2010-10-08 15:12 . 2010-10-08 15:12 52224 ----a-w- c:\documents and settings\steve\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll2010-10-08 15:12 . 2010-10-08 15:12 117760 ----a-w- c:\documents and settings\steve\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2010-10-08 15:10 . 2010-10-08 15:10 -------- d-----w- c:\documents and settings\steve\Application Data\SUPERAntiSpyware.com2010-10-08 15:10 . 2010-10-08 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2010-10-08 15:09 . 2010-10-08 15:10 -------- d-----w- c:\program files\SUPERAntiSpyware2010-10-07 08:36 . 2010-10-07 08:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache2010-10-06 13:25 . 2010-10-06 13:25 -------- d-----w- c:\windows\system32\oldcatroot22010-10-06 13:24 . 2010-10-06 13:24 -------- d-----w- c:\windows\RegBackups2010-10-06 13:05 . 2010-10-06 13:05 -------- d-sh--w- c:\documents and settings\steve\IECompatCache2010-10-06 02:47 . 2010-10-06 02:47 -------- d-----w- c:\windows\system32\scripting2010-10-06 02:47 . 2010-10-06 02:47 -------- d-----w- c:\windows\system32\en2010-10-06 02:47 . 2010-10-06 02:47 -------- d-----w- c:\windows\system32\bits2010-10-06 02:47 . 2010-10-06 02:47 -------- d-----w- c:\windows\l2schemas2010-10-06 02:41 . 2010-10-06 02:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2010-10-06 02:32 . 2010-10-06 02:32 -------- d-sh--w- c:\documents and settings\steve\IETldCache2010-10-06 02:29 . 2010-10-06 02:29 -------- dc-h--w- c:\windows\ie82010-10-01 12:16 . 2010-10-01 12:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-09-29 00:36 . 2010-09-29 00:36 -------- d-s---w- c:\documents and settings\NetworkService\UserData2010-09-28 18:18 . 2010-09-28 18:18 -------- d-----w- c:\documents and settings\steve\Application Data\Malwarebytes2010-09-28 18:18 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-09-28 18:18 . 2010-09-28 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-09-28 18:18 . 2010-09-28 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-09-28 18:18 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-09-28 12:52 . 2010-09-28 12:52 -------- d-----w- c:\windows\system32\wbem\Repository2010-09-27 20:22 . 2010-09-28 12:52 -------- d-----w- c:\documents and settings\steve\Application Data\Genieo2010-09-10 13:46 . 2010-09-10 13:46 0 ----a-w- c:\windows\nsreg.dat2010-09-10 13:46 . 2010-09-10 13:46 -------- d-----w- c:\documents and settings\steve\Local Settings\Application Data\Mozilla.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-10-09 19:40 . 2007-04-19 07:06 -------- d-----w- c:\program files\Picasa22010-10-08 16:44 . 2010-10-08 18:21 175096 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat2010-10-06 16:02 . 2007-04-19 07:06 -------- d-----w- c:\program files\Google2010-10-06 02:50 . 2007-04-19 06:38 94291 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat2010-10-06 02:48 . 2007-04-19 06:36 -------- d-----w- c:\program files\Windows Journal2010-10-04 17:47 . 2008-12-12 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8.------- Sigcheck -------[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\ERDNT\cache\tcpip.sys[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\rpcss.dll[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\rpcss.dll[-] 2009-02-09 . 24B5D53B9ACCC1E2EDCF0A878D6659D4 . 401408 . . [5.1.2600.3520] . . c:\windows\ERDNT\cache\rpcss.dll[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\rpcss.dll[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\services.exe[-] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\ERDNT\cache\services.exe[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\services.exe[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\ERDNT\cache\es.dll[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\es.dll[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\$NtServicePackUninstall$\kernel32.dll[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\ERDNT\cache\kernel32.dll[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\kernel32.dll[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\ERDNT\cache\mswsock.dll[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll[7] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll[7] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\mswsock.dll[-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3GDR\ntoskrnl.exe[-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\Driver Cache\i386\ntoskrnl.exe[-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\system32\dllcache\ntoskrnl.exe[-] 2010-02-16 . 4F1BBAF9BA10B29022FB3F5FAC32D022 . 2143744 . . [5.1.2600.3670] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe[-] 2010-02-16 . 4F1BBAF9BA10B29022FB3F5FAC32D022 . 2143744 . . [5.1.2600.3670] . . c:\windows\ERDNT\cache\ntoskrnl.exe[-] 2010-02-16 . 048DB3459FAB4CA741DCC84E1F374D65 . 2146304 . . [5.1.2600.5938] . . c:\windows\system32\ntoskrnl.exe[-] 2010-02-16 . E1F653A542449D54FA2D27463D99B6B6 . 2190080 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe[-] 2009-12-09 . 05BE3D9A71972223AFF6A3C823BA51B1 . 2189312 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe[-] 2009-12-08 . 78EC47F9B9A3A1D539262D8834C896CE . 2189184 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3GDR\ntoskrnl.exe[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntoskrnl.exe[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe[-] 2008-08-15 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntoskrnl.exe[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\ntoskrnl.exe[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe[-] 2010-02-16 . 115964D2E8323D9DE4FF5B74795AA0D5 . 2021888 . . [5.1.2600.3670] . . c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe[-] 2010-02-16 . 115964D2E8323D9DE4FF5B74795AA0D5 . 2021888 . . [5.1.2600.3670] . . c:\windows\ERDNT\cache\ntkrnlpa.exe[-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3GDR\ntkrnlpa.exe[-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe[-] 2010-02-16 . E8B8801DE921912EBDEEFC76662F7EAD . 2024448 . . [5.1.2600.5938] . . c:\windows\system32\ntkrnlpa.exe[-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\system32\dllcache\ntkrnlpa.exe[-] 2010-02-16 . DED8B5A89B085284634502E9D75AC78C . 2066944 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe[-] 2009-12-09 . FFDCE1EEA79C678C40237D4E031E5B51 . 2066176 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe[-] 2009-12-08 . A6683E23468776F75EB2D8C6A02AAD3B . 2066048 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165\SP3GDR\ntkrnlpa.exe[-] 2009-08-04 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntkrnlpa.exe[-] 2009-02-07 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntkrnlpa.exe[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\oldDownload\79123dd72d0f61d4ed8c7a816ed338d7\ntkrnlpa.exe[-] 2005-03-01 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe.((((((((((((((((((((((((((((( SnapShot_2010-10-09_18.10.14 ))))))))))))))))))))))))))))))))))))))))).+ 2007-04-19 06:36 . 2004-08-04 12:00 16384 c:\windows\system32\dllcache\splshwrp.exe- 2007-04-19 06:36 . 2008-04-14 00:12 16384 c:\windows\system32\dllcache\splshwrp.exe+ 2007-04-19 06:36 . 2004-08-04 12:00 16384 c:\windows\Help\SplshWrp.exe- 2007-04-19 06:36 . 2008-04-14 00:12 16384 c:\windows\Help\splshwrp.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-07-13 90112]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-12 2048352]"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 89541][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoDevMgrUpdate"= 0 (0x0)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-08-28 13:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]2006-06-11 01:02 49152 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"LiveUpdate"=3 (0x3)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [4/19/2007 3:03 AM 8960]R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [4/19/2007 3:03 AM 10496]R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [4/19/2007 3:05 AM 7168]R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10/3/2006 4:23 PM 36640]R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10/12/2006 2:47 PM 33152]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/11/2008 8:39 PM 335240]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/11/2008 8:39 PM 108552]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/11/2008 8:39 PM 908056]R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/11/2008 8:39 PM 297752]R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [4/19/2007 3:04 AM 17920]R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [4/19/2007 2:42 AM 4864]R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [4/19/2007 2:42 AM 30976]R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/19/2007 2:42 AM 36608]R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 5:04 PM 99200]R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/8/2006 1:44 AM 92550]S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [4/18/2007 7:35 PM 14208]..------- Supplementary Scan -------.uStart Page = hxxp://google.com/uInternet Connection Wizard,ShellNext = hxxp://us.fujitsu.com/computersuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlFF - ProfilePath - c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\yo1b15j8.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialFF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101059100&s=FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----FF - user.js: browser.search.selectedEngine - GoogleFF - user.js: browser.search.order.1 - GoogleFF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101059100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);.Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullycalled modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A48AC56]<< kernel: MBR read successfullydetected MBR rootkit hooks:\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8\Driver\atapi -> atapi.sys @ 0xb9e35852\Driver\iaStor -> iaStor.sys @ 0xb9e50c1aIoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8NDIS: Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d29bb0 PacketIndicateHandler -> NDIS.sys @ 0xb9d18a0d SendHandler -> NDIS.sys @ 0xb9d2cb40user & kernel MBR OK **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(792)c:\program files\SUPERAntiSpyware\SASWINLO.DLLc:\program files\Softex\OmniPass\opxpgina.dllc:\windows\system32\tpgwlnot.dll.Completion time: 2010-10-09 15:49:51ComboFix-quarantined-files.txt 2010-10-09 19:49ComboFix2.txt 2010-10-09 18:13ComboFix3.txt 2010-10-05 18:22ComboFix4.txt 2010-09-28 20:27Pre-Run: 147,229,675,520 bytes freePost-Run: 147,514,380,288 bytes free- - End Of File - - 7FEB67749D9E53D8338E1D9699A4162E Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325120 Share Posted October 9, 2010 Thanks!Download mbr.exe to your Desktop.Doubleclick mbr.exe and follow prompts.When mbr.exe is ready, it will create a log.Copy and paste contents of that file to your next reply. Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325125 Share Posted October 9, 2010 Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullykernel: MBR read successfullyuser & kernel MBR OK Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325128 Share Posted October 9, 2010 Please upload this file to www.virustotal.com and post the resaults in your next reply:c:\windows\system32\kernel32.dll Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325131 Share Posted October 9, 2010 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.File name:kernel32.dllSubmission date:2010-10-09 21:08:35 (UTC)Current status:queued (#9) queued (#9) analysing finishedResult:0/ 43 (0.0%)VT Communitynot reviewed Safety score: - CompactPrint resultsAntivirus Version Last Update ResultAhnLab-V3 2010.10.10.00 2010.10.09 -AntiVir 7.10.12.167 2010.10.08 -Antiy-AVL 2.0.3.7 2010.10.09 -Authentium 5.2.0.5 2010.10.09 -Avast 4.8.1351.0 2010.10.09 -Avast5 5.0.594.0 2010.10.09 -AVG 9.0.0.851 2010.10.09 -BitDefender 7.2 2010.10.09 -CAT-QuickHeal 11.00 2010.10.09 -ClamAV 0.96.2.0-git 2010.10.09 -Comodo 6333 2010.10.09 -DrWeb 5.0.2.03300 2010.10.09 -Emsisoft 5.0.0.50 2010.10.09 -eSafe 7.0.17.0 2010.10.07 -eTrust-Vet 36.1.7901 2010.10.08 -F-Prot 4.6.2.117 2010.10.09 -F-Secure 9.0.15370.0 2010.10.09 -Fortinet 4.2.249.0 2010.10.09 -GData 21 2010.10.09 -Ikarus T3.1.1.90.0 2010.10.09 -Jiangmin 13.0.900 2010.10.09 -K7AntiVirus 9.65.2713 2010.10.09 -Kaspersky 7.0.0.125 2010.10.09 -McAfee 5.400.0.1158 2010.10.09 -McAfee-GW-Edition 2010.1C 2010.10.09 -Microsoft 1.6201 2010.10.09 -NOD32 5518 2010.10.09 -Norman 6.06.07 2010.10.09 -nProtect 2010-10-09.01 2010.10.09 -Panda 10.0.2.7 2010.10.09 -PCTools 7.0.3.5 2010.10.09 -Prevx 3.0 2010.10.09 -Rising 22.68.05.00 2010.10.09 -Sophos 4.58.0 2010.10.09 -Sunbelt 7025 2010.10.09 -SUPERAntiSpyware 4.40.0.1006 2010.10.09 -Symantec 20101.2.0.161 2010.10.09 -TheHacker 6.7.0.1.053 2010.10.09 -TrendMicro 9.120.0.1004 2010.10.09 -TrendMicro-HouseCall 9.120.0.1004 2010.10.09 -VBA32 3.12.14.1 2010.10.08 -ViRobot 2010.9.25.4060 2010.10.09 -VirusBuster 12.67.10.0 2010.10.09 -Additional informationShow allMD5 : b921fb870c9ac0d509b2ccabbbbe95f3SHA1 : c88d57cc99f75cd928b47b6e444231f26670138fSHA256: d3b69a8b59e07e775f99871c4ad107a4f72f392325695e7f261f6aa6e590d4e6ssdeep: 12288:7wLw6PKp1IgSq1cNfxVNLww0I7OM4mQRQ:XpWHfnNLxwaQRQFile size : 989696 bytesFirst seen: 2009-04-16 16:51:52Last seen : 2010-10-09 21:08:35TrID:Win64 Executable Generic (42.6%)Win32 EXE PECompact compressed (generic) (20.7%)Win32 Executable MS Visual C++ (generic) (18.8%)Win 9x/ME Control Panel applet (7.7%)Win32 Executable Generic (4.2%)sigcheck:publisher....: Microsoft Corporationcopyright....: © Microsoft Corporation. All rights reserved.product......: Microsoft_ Windows_ Operating Systemdescription..: Windows NT BASE API Client DLLoriginal name: kernel32internal name: kernel32file version.: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)comments.....: n/asigners......: -signing date.: -verified.....: UnsignedPEInfo: PE structure information[[ basic data ]]entrypointaddress: 0xB64Etimedatestamp....: 0x49C4F482 (Sat Mar 21 14:06:58 2009)machinetype......: 0x14c (I386)[[ 4 section(s) ]]name, viradd, virsiz, rawdsiz, ntropy, md5.text, 0x1000, 0x831E9, 0x83200, 6.66, 20e7d84df75e06dfbc481e20c3e7f8d2.data, 0x85000, 0x4460, 0x2600, 0.59, dd0a1d702ba641dd9a3e4aa8d1896aec.rsrc, 0x8A000, 0x65EE8, 0x66000, 3.39, c875d981cddbef706b9ead3eb62aec87.reloc, 0xF0000, 0x5C84, 0x5E00, 6.62, 55b85ac969f28a4d4dff5820d55ffa12[[ 1 import(s) ]]ntdll.dll: _wcsnicmp, NtFsControlFile, NtCreateFile, RtlAllocateHeap, RtlFreeHeap, NtOpenFile, NtQueryInformationFile, NtQueryEaFile, RtlLengthSecurityDescriptor, NtQuerySecurityObject, NtSetEaFile, NtSetSecurityObject, NtSetInformationFile, CsrClientCallServer, NtDeviceIoControlFile, NtClose, RtlInitUnicodeString, wcscspn, RtlUnicodeToMultiByteSize, wcslen, _memicmp, memmove, NtQueryValueKey, NtOpenKey, NtFlushKey, NtSetValueKey, NtCreateKey, RtlNtStatusToDosError, RtlFreeUnicodeString, RtlDnsHostNameToComputerName, wcsncpy, RtlUnicodeStringToAnsiString, RtlxUnicodeStringToAnsiSize, NlsMbCodePageTag, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlCreateUnicodeStringFromAsciiz, wcschr, wcsstr, RtlPrefixString, _wcsicmp, RtlGetFullPathName_U, RtlGetCurrentDirectory_U, NtQueryInformationProcess, RtlUnicodeStringToOemString, RtlReleasePebLock, RtlEqualUnicodeString, RtlAcquirePebLock, RtlFreeAnsiString, RtlSetCurrentDirectory_U, RtlTimeToTimeFields, NtSetSystemTime, RtlTimeFieldsToTime, NtQuerySystemInformation, RtlSetTimeZoneInformation, NtSetSystemInformation, RtlCutoverTimeToSystemTime, _allmul, NtEnumerateKey, RtlOpenCurrentUser, RtlQueryRegistryValues, _itow, DbgBreakPoint, RtlFreeSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, RtlAllocateAndInitializeSid, DbgPrint, NtOpenProcess, CsrGetProcessId, DbgUiDebugActiveProcess, DbgUiConnectToDbg, DbgUiIssueRemoteBreakin, NtSetInformationDebugObject, DbgUiGetThreadDebugObject, NtQueryInformationThread, DbgUiConvertStateChangeStructure, DbgUiWaitStateChange, DbgUiContinue, DbgUiStopDebugging, RtlDosPathNameToNtPathName_U, RtlIsDosDeviceName_U, RtlCreateAtomTable, NtAddAtom, RtlAddAtomToAtomTable, NtFindAtom, RtlLookupAtomInAtomTable, NtDeleteAtom, RtlDeleteAtomFromAtomTable, NtQueryInformationAtom, RtlQueryAtomInAtomTable, RtlOemStringToUnicodeString, RtlMultiByteToUnicodeN, RtlUnicodeToMultiByteN, RtlMultiByteToUnicodeSize, RtlPrefixUnicodeString, RtlLeaveCriticalSection, RtlEnterCriticalSection, NtEnumerateValueKey, RtlIsTextUnicode, NtReadFile, NtAllocateVirtualMemory, NtUnlockFile, NtLockFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlCopyUnicodeString, NtFreeVirtualMemory, NtWriteFile, RtlCreateUnicodeString, RtlFormatCurrentUserKeyPath, RtlGetLongestNtPathLength, NtDuplicateObject, NtQueryKey, NtDeleteValueKey, RtlEqualString, CsrFreeCaptureBuffer, CsrCaptureMessageString, CsrAllocateCaptureBuffer, strncpy, RtlCharToInteger, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, CsrAllocateMessagePointer, NtQueryObject, wcscmp, RtlCompareMemory, NtQueryDirectoryObject, NtQuerySymbolicLinkObject, NtOpenSymbolicLinkObject, NtOpenDirectoryObject, NtCreateIoCompletion, NtSetIoCompletion, NtRemoveIoCompletion, NtSetInformationProcess, NtQueryDirectoryFile, RtlDeleteCriticalSection, NtNotifyChangeDirectoryFile, NtWaitForSingleObject, RtlInitializeCriticalSection, NtQueryVolumeInformationFile, NtFlushBuffersFile, RtlDeactivateActivationContextUnsafeFast, RtlActivateActivationContextUnsafeFast, NtCancelIoFile, NtReadFileScatter, NtWriteFileGather, wcscpy, NtOpenSection, NtMapViewOfSection, NtFlushVirtualMemory, RtlFlushSecureMemoryCache, NtUnmapViewOfSection, NtCreateSection, NtQueryFullAttributesFile, swprintf, NtQueryAttributesFile, RtlDetermineDosPathNameType_U, NtRaiseHardError, NtQuerySystemEnvironmentValueEx, RtlGUIDFromString, NtSetSystemEnvironmentValueEx, RtlInitString, RtlUnlockHeap, RtlSetUserValueHeap, RtlFreeHandle, RtlAllocateHandle, RtlLockHeap, RtlSizeHeap, RtlGetUserInfoHeap, RtlReAllocateHeap, RtlIsValidHandle, RtlCompactHeap, RtlImageNtHeader, NtProtectVirtualMemory, NtQueryVirtualMemory, NtLockVirtualMemory, NtUnlockVirtualMemory, NtFlushInstructionCache, NtAllocateUserPhysicalPages, NtFreeUserPhysicalPages, NtMapUserPhysicalPages, NtMapUserPhysicalPagesScatter, NtGetWriteWatch, NtResetWriteWatch, NtSetInformationObject, LdrQueryImageFileExecutionOptions, CsrNewThread, CsrClientConnectToServer, RtlCreateTagHeap, LdrSetDllManifestProber, RtlSetThreadPoolStartFunc, RtlEncodePointer, _stricmp, wcscat, RtlCreateHeap, RtlDestroyHeap, RtlExtendHeap, RtlQueryTagHeap, RtlUsageHeap, RtlValidateHeap, RtlGetProcessHeaps, RtlWalkHeap, RtlSetHeapInformation, RtlQueryHeapInformation, RtlInitializeHandleTable, RtlExtendedLargeIntegerDivide, NtCreateMailslotFile, RtlFormatMessage, RtlFindMessage, LdrUnloadDll, LdrUnloadAlternateResourceModule, LdrDisableThreadCalloutsForDll, strchr, LdrGetDllHandle, LdrUnlockLoaderLock, LdrAddRefDll, RtlComputePrivatizedDllName_U, RtlPcToFileHeader, LdrLockLoaderLock, RtlGetVersion, LdrEnumerateLoadedModules, RtlVerifyVersionInfo, RtlUnicodeStringToInteger, LdrLoadAlternateResourceModule, RtlDosApplyFileIsolationRedirection_Ustr, LdrLoadDll, LdrGetProcedureAddress, LdrFindResource_U, LdrAccessResource, LdrFindResourceDirectory_U, RtlImageDirectoryEntryToData, _strcmpi, NtSetInformationThread, NtOpenThreadToken, NtCreateNamedPipeFile, RtlDefaultNpAcl, RtlDosSearchPath_Ustr, RtlInitUnicodeStringEx, RtlQueryEnvironmentVariable_U, RtlAnsiCharToUnicodeChar, RtlIntegerToChar, NtSetVolumeInformationFile, RtlIsNameLegalDOS8Dot3, NtQueryPerformanceCounter, sprintf, NtPowerInformation, NtInitiatePowerAction, NtSetThreadExecutionState, NtRequestWakeupLatency, NtGetDevicePowerState, NtIsSystemResumeAutomatic, NtRequestDeviceWakeup, NtCancelDeviceWakeupRequest, NtWriteVirtualMemory, LdrShutdownProcess, NtTerminateProcess, RtlRaiseStatus, RtlSetEnvironmentVariable, RtlExpandEnvironmentStrings_U, NtReadVirtualMemory, RtlCompareUnicodeString, NtCreateJobSet, NtCreateJobObject, NtIsProcessInJob, RtlEqualSid, RtlSubAuthoritySid, RtlInitializeSid, NtQueryInformationToken, NtOpenProcessToken, NtResumeThread, NtAssignProcessToJobObject, CsrCaptureMessageMultiUnicodeStringsInPlace, NtCreateThread, NtCreateProcessEx, RtlDestroyEnvironment, NtQuerySection, NtQueryInformationJobObject, RtlGetNativeSystemInformation, RtlxAnsiStringToUnicodeSize, NtOpenEvent, NtQueryEvent, NtTerminateThread, wcsrchr, NlsMbOemCodePageTag, RtlxUnicodeStringToOemSize, NtAdjustPrivilegesToken, RtlImpersonateSelf, wcsncmp, RtlDestroyProcessParameters, RtlCreateProcessParameters, RtlInitializeCriticalSectionAndSpinCount, NtSetEvent, NtClearEvent, NtPulseEvent, NtCreateSemaphore, NtOpenSemaphore, NtReleaseSemaphore, NtCreateMutant, NtOpenMutant, NtReleaseMutant, NtSignalAndWaitForSingleObject, NtWaitForMultipleObjects, NtDelayExecution, NtCreateTimer, NtOpenTimer, NtSetTimer, NtCancelTimer, NtCreateEvent, RtlCopyLuid, strrchr, _vsnwprintf, RtlReleaseActivationContext, RtlActivateActivationContextEx, RtlQueryInformationActivationContext, NtOpenThread, LdrShutdownThread, RtlFreeThreadActivationContextStack, NtGetContextThread, NtSetContextThread, NtSuspendThread, RtlRaiseException, RtlDecodePointer, towlower, RtlClearBits, RtlFindClearBitsAndSet, RtlAreBitsSet, NtQueueApcThread, NtYieldExecution, RtlRegisterWait, RtlDeregisterWait, RtlDeregisterWaitEx, RtlQueueWorkItem, RtlSetIoCompletionCallback, RtlCreateTimerQueue, RtlCreateTimer, RtlUpdateTimer, RtlDeleteTimer, RtlDeleteTimerQueueEx, CsrIdentifyAlertableThread, RtlApplicationVerifierStop, _alloca_probe, RtlDestroyQueryDebugBuffer, RtlQueryProcessDebugInformation, RtlCreateQueryDebugBuffer, RtlCreateEnvironment, RtlFreeOemString, strstr, toupper, isdigit, atol, tolower, NtOpenJobObject, NtTerminateJobObject, NtSetInformationJobObject, RtlAddRefActivationContext, RtlZombifyActivationContext, RtlActivateActivationContext, RtlDeactivateActivationContext, RtlGetActiveActivationContext, DbgPrintEx, LdrDestroyOutOfProcessImage, LdrAccessOutOfProcessResource, LdrFindCreateProcessManifest, LdrCreateOutOfProcessImage, RtlNtStatusToDosErrorNoTeb, RtlpApplyLengthFunction, RtlGetLengthWithoutLastFullDosOrNtPathElement, RtlpEnsureBufferSize, RtlMultiAppendUnicodeStringBuffer, _snwprintf, RtlCreateActivationContext, RtlFindActivationContextSectionString, RtlFindActivationContextSectionGuid, _allshl, RtlNtPathNameToDosPathName, RtlUnhandledExceptionFilter, CsrCaptureMessageBuffer, NtQueryInstallUILanguage, NtQueryDefaultUILanguage, wcspbrk, RtlGetDaclSecurityDescriptor, NtCreateDirectoryObject, _wcslwr, _wtol, RtlIntegerToUnicodeString, NtQueryDefaultLocale, _strlwr, RtlUnwind[[ 954 export(s) ]]ActivateActCtx, AddAtomA, AddAtomW, AddConsoleAliasA, AddConsoleAliasW, AddLocalAlternateComputerNameA, AddLocalAlternateComputerNameW, AddRefActCtx, AddVectoredExceptionHandler, AllocConsole, AllocateUserPhysicalPages, AreFileApisANSI, AssignProcessToJobObject, AttachConsole, BackupRead, BackupSeek, BackupWrite, BaseCheckAppcompatCache, BaseCleanupAppcompatCache, BaseCleanupAppcompatCacheSupport, BaseDumpAppcompatCache, BaseFlushAppcompatCache, BaseInitAppcompatCache, BaseInitAppcompatCacheSupport, BaseProcessInitPostImport, BaseQueryModuleData, BaseUpdateAppcompatCache, BasepCheckWinSaferRestrictions, Beep, BeginUpdateResourceA, BeginUpdateResourceW, BindIoCompletionCallback, BuildCommDCBA, BuildCommDCBAndTimeoutsA, BuildCommDCBAndTimeoutsW, BuildCommDCBW, CallNamedPipeA, CallNamedPipeW, CancelDeviceWakeupRequest, CancelIo, CancelTimerQueueTimer, CancelWaitableTimer, ChangeTimerQueueTimer, CheckNameLegalDOS8Dot3A, CheckNameLegalDOS8Dot3W, CheckRemoteDebuggerPresent, ClearCommBreak, ClearCommError, CloseConsoleHandle, CloseHandle, CloseProfileUserMapping, CmdBatNotification, CommConfigDialogA, CommConfigDialogW, CompareFileTime, CompareStringA, CompareStringW, ConnectNamedPipe, ConsoleMenuControl, ContinueDebugEvent, ConvertDefaultLocale, ConvertFiberToThread, ConvertThreadToFiber, CopyFileA, CopyFileExA, CopyFileExW, CopyFileW, CopyLZFile, CreateActCtxA, CreateActCtxW, CreateConsoleScreenBuffer, CreateDirectoryA, CreateDirectoryExA, CreateDirectoryExW, CreateDirectoryW, CreateEventA, CreateEventW, CreateFiber, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateHardLinkA, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectA, CreateJobObjectW, CreateJobSet, CreateMailslotA, CreateMailslotW, CreateMemoryResourceNotification, CreateMutexA, CreateMutexW, CreateNamedPipeA, CreateNamedPipeW, CreateNlsSecurityDescriptor, CreatePipe, CreateProcessA, CreateProcessInternalA, CreateProcessInternalW, CreateProcessInternalWSecure, CreateProcessW, CreateRemoteThread, CreateSemaphoreA, CreateSemaphoreW, CreateSocketHandle, CreateTapePartition, CreateThread, CreateTimerQueue, CreateTimerQueueTimer, CreateToolhelp32Snapshot, CreateVirtualBuffer, CreateWaitableTimerA, CreateWaitableTimerW, DeactivateActCtx, DebugActiveProcess, DebugActiveProcessStop, DebugBreak, DebugBreakProcess, DebugSetProcessKillOnExit, DecodePointer, DecodeSystemPointer, DefineDosDeviceA, DefineDosDeviceW, DelayLoadFailureHook, DeleteAtom, DeleteCriticalSection, DeleteFiber, DeleteFileA, DeleteFileW, DeleteTimerQueue, DeleteTimerQueueEx, DeleteTimerQueueTimer, DeleteVolumeMountPointA, DeleteVolumeMountPointW, DeviceIoControl, DisableThreadLibraryCalls, DisconnectNamedPipe, DnsHostnameToComputerNameA, DnsHostnameToComputerNameW, DosDateTimeToFileTime, DosPathToSessionPathA, DosPathToSessionPathW, DuplicateConsoleHandle, DuplicateHandle, EncodePointer, EncodeSystemPointer, EndUpdateResourceA, EndUpdateResourceW, EnterCriticalSection, EnumCalendarInfoA, EnumCalendarInfoExA, EnumCalendarInfoExW, EnumCalendarInfoW, EnumDateFormatsA, EnumDateFormatsExA, EnumDateFormatsExW, EnumDateFormatsW, EnumLanguageGroupLocalesA, EnumLanguageGroupLocalesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceNamesA, EnumResourceNamesW, EnumResourceTypesA, EnumResourceTypesW, EnumSystemCodePagesA, EnumSystemCodePagesW, EnumSystemGeoID, EnumSystemLanguageGroupsA, EnumSystemLanguageGroupsW, EnumSystemLocalesA, EnumSystemLocalesW, EnumTimeFormatsA, EnumTimeFormatsW, EnumUILanguagesA, EnumUILanguagesW, EnumerateLocalComputerNamesA, EnumerateLocalComputerNamesW, EraseTape, EscapeCommFunction, ExitProcess, ExitThread, ExitVDM, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExpungeConsoleCommandHistoryA, ExpungeConsoleCommandHistoryW, ExtendVirtualBuffer, FatalAppExitA, FatalAppExitW, FatalExit, FileTimeToDosDateTime, FileTimeToLocalFileTime, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, FillConsoleOutputCharacterW, FindActCtxSectionGuid, FindActCtxSectionStringA, FindActCtxSectionStringW, FindAtomA, FindAtomW, FindClose, FindCloseChangeNotification, FindFirstChangeNotificationA, FindFirstChangeNotificationW, FindFirstFileA, FindFirstFileExA, FindFirstFileExW, FindFirstFileW, FindFirstVolumeA, FindFirstVolumeMountPointA, FindFirstVolumeMountPointW, FindFirstVolumeW, FindNextChangeNotification, FindNextFileA, FindNextFileW, FindNextVolumeA, FindNextVolumeMountPointA, FindNextVolumeMountPointW, FindNextVolumeW, FindResourceA, FindResourceExA, FindResourceExW, FindResourceW, FindVolumeClose, FindVolumeMountPointClose, FlushConsoleInputBuffer, FlushFileBuffers, FlushInstructionCache, FlushViewOfFile, FoldStringA, FoldStringW, FormatMessageA, FormatMessageW, FreeConsole, FreeEnvironmentStringsA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeResource, FreeUserPhysicalPages, FreeVirtualBuffer, GenerateConsoleCtrlEvent, GetACP, GetAtomNameA, GetAtomNameW, GetBinaryType, GetBinaryTypeA, GetBinaryTypeW, GetCPFileNameFromRegistry, GetCPInfo, GetCPInfoExA, GetCPInfoExW, GetCalendarInfoA, GetCalendarInfoW, GetComPlusPackageInstallStatus, GetCommConfig, GetCommMask, GetCommModemStatus, GetCommProperties, GetCommState, GetCommTimeouts, GetCommandLineA, GetCommandLineW, GetCompressedFileSizeA, GetCompressedFileSizeW, GetComputerNameA, GetComputerNameExA, GetComputerNameExW, GetComputerNameW, GetConsoleAliasA, GetConsoleAliasExesA, GetConsoleAliasExesLengthA, GetConsoleAliasExesLengthW, GetConsoleAliasExesW, GetConsoleAliasW, GetConsoleAliasesA, GetConsoleAliasesLengthA, GetConsoleAliasesLengthW, GetConsoleAliasesW, GetConsoleCP, GetConsoleCharType, GetConsoleCommandHistoryA, GetConsoleCommandHistoryLengthA, GetConsoleCommandHistoryLengthW, GetConsoleCommandHistoryW, GetConsoleCursorInfo, GetConsoleCursorMode, GetConsoleDisplayMode, GetConsoleFontInfo, GetConsoleFontSize, GetConsoleHardwareState, GetConsoleInputExeNameA, GetConsoleInputExeNameW, GetConsoleInputWaitHandle, GetConsoleKeyboardLayoutNameA, GetConsoleKeyboardLayoutNameW, GetConsoleMode, GetConsoleNlsMode, GetConsoleOutputCP, GetConsoleProcessList, GetConsoleScreenBufferInfo, GetConsoleSelectionInfo, GetConsoleTitleA, GetConsoleTitleW, GetConsoleWindow, GetCurrencyFormatA, GetCurrencyFormatW, GetCurrentActCtx, GetCurrentConsoleFont, GetCurrentDirectoryA, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetDateFormatW, GetDefaultCommConfigA, GetDefaultCommConfigW, GetDefaultSortkeySize, GetDevicePowerState, GetDiskFreeSpaceA, GetDiskFreeSpaceExA, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetDllDirectoryA, GetDllDirectoryW, GetDriveTypeA, GetDriveTypeW, GetEnvironmentStrings, GetEnvironmentStringsA, GetEnvironmentStringsW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetExitCodeProcess, GetExitCodeThread, GetExpandedNameA, GetExpandedNameW, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileSizeEx, GetFileTime, GetFileType, GetFirmwareEnvironmentVariableA, GetFirmwareEnvironmentVariableW, GetFullPathNameA, GetFullPathNameW, GetGeoInfoA, GetGeoInfoW, GetHandleContext, GetHandleInformation, GetLargestConsoleWindowSize, GetLastError, GetLinguistLangSize, GetLocalTime, GetLocaleInfoA, GetLocaleInfoW, GetLogicalDriveStringsA, GetLogicalDriveStringsW, GetLogicalDrives, GetLogicalProcessorInformation, GetLongPathNameA, GetLongPathNameW, GetMailslotInfo, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeHandleStateA, GetNamedPipeHandleStateW, GetNamedPipeInfo, GetNativeSystemInfo, GetNextVDMCommand, GetNlsSectionName, GetNumaAvailableMemory, GetNumaAvailableMemoryNode, GetNumaHighestNodeNumber, GetNumaNodeProcessorMask, GetNumaProcessorMap, GetNumaProcessorNode, GetNumberFormatA, GetNumberFormatW, GetNumberOfConsoleFonts, GetNumberOfConsoleInputEvents, GetNumberOfConsoleMouseButtons, GetOEMCP, GetOverlappedResult, GetPriorityClass, GetPrivateProfileIntA, GetPrivateProfileIntW, GetPrivateProfileSectionA, GetPrivateProfileSectionNamesA, GetPrivateProfileSectionNamesW, GetPrivateProfileSectionW, GetPrivateProfileStringA, GetPrivateProfileStringW, GetPrivateProfileStructA, GetPrivateProfileStructW, GetProcAddress, GetProcessAffinityMask, GetProcessDEPPolicy, GetProcessHandleCount, GetProcessHeap, GetProcessHeaps, GetProcessId, GetProcessIoCounters, GetProcessPriorityBoost, GetProcessShutdownParameters, GetProcessTimes, GetProcessVersion, GetProcessWorkingSetSize, GetProfileIntA, GetProfileIntW, GetProfileSectionA, GetProfileSectionW, GetProfileStringA, GetProfileStringW, GetQueuedCompletionStatus, GetShortPathNameA, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeExA, GetStringTypeExW, GetStringTypeW, GetSystemDEPPolicy, GetSystemDefaultLCID, GetSystemDefaultLangID, GetSystemDefaultUILanguage, GetSystemDirectoryA, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemRegistryQuota, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetSystemTimes, GetSystemWindowsDirectoryA, GetSystemWindowsDirectoryW, GetSystemWow64DirectoryA, GetSystemWow64DirectoryW, GetTapeParameters, GetTapePosition, GetTapeStatus, GetTempFileNameA, GetTempFileNameW, GetTempPathA, GetTempPathW, GetThreadContext, GetThreadIOPendingFlag, GetThreadLocale, GetThreadPriority, GetThreadPriorityBoost, GetThreadSelectorEntry, GetThreadTimes, GetTickCount, GetTimeFormatA, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultUILanguage, GetUserGeoID, GetVDMCurrentDirectories, GetVersion, GetVersionExA, GetVersionExW, GetVolumeInformationA, GetVolumeInformationW, GetVolumeNameForVolumeMountPointA, GetVolumeNameForVolumeMountPointW, GetVolumePathNameA, GetVolumePathNameW, GetVolumePathNamesForVolumeNameA, GetVolumePathNamesForVolumeNameW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetWriteWatch, GlobalAddAtomA, GlobalAddAtomW, GlobalAlloc, GlobalCompact, GlobalDeleteAtom, GlobalFindAtomA, GlobalFindAtomW, GlobalFix, GlobalFlags, GlobalFree, GlobalGetAtomNameA, GlobalGetAtomNameW, GlobalHandle, GlobalLock, GlobalMemoryStatus, GlobalMemoryStatusEx, GlobalReAlloc, GlobalSize, GlobalUnWire, GlobalUnfix, GlobalUnlock, GlobalWire, Heap32First, Heap32ListFirst, Heap32ListNext, Heap32Next, HeapAlloc, HeapCompact, HeapCreate, HeapCreateTagsW, HeapDestroy, HeapExtend, HeapFree, HeapLock, HeapQueryInformation, HeapQueryTagW, HeapReAlloc, HeapSetInformation, HeapSize, HeapSummary, HeapUnlock, HeapUsage, HeapValidate, HeapWalk, InitAtomTable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedFlushSList, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, InvalidateConsoleDIBits, IsBadCodePtr, IsBadHugeReadPtr, IsBadHugeWritePtr, IsBadReadPtr, IsBadStringPtrA, IsBadStringPtrW, IsBadWritePtr, IsDBCSLeadByte, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessInJob, IsProcessorFeaturePresent, IsSystemResumeAutomatic, IsValidCodePage, IsValidLanguageGroup, IsValidLocale, IsValidUILanguage, IsWow64Process, LCMapStringA, LCMapStringW, LZClose, LZCloseFile, LZCopy, LZCreateFileW, LZDone, LZInit, LZOpenFileA, LZOpenFileW, LZRead, LZSeek, LZStart, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadModule, LoadResource, LocalAlloc, LocalCompact, LocalFileTimeToFileTime, LocalFlags, LocalFree, LocalHandle, LocalLock, LocalReAlloc, LocalShrink, LocalSize, LocalUnlock, LockFile, LockFileEx, LockResource, MapUserPhysicalPages, MapUserPhysicalPagesScatter, MapViewOfFile, MapViewOfFileEx, Module32First, Module32FirstW, Module32Next, Module32NextW, MoveFileA, MoveFileExA, MoveFileExW, MoveFileW, MoveFileWithProgressA, MoveFileWithProgressW, MulDiv, MultiByteToWideChar, NlsConvertIntegerToString, NlsGetCacheUpdateCount, NlsResetProcessLocale, NumaVirtualQueryNode, OpenConsoleW, OpenDataFile, OpenEventA, OpenEventW, OpenFile, OpenFileMappingA, OpenFileMappingW, OpenJobObjectA, OpenJobObjectW, OpenMutexA, OpenMutexW, OpenProcess, OpenProfileUserMapping, OpenSemaphoreA, OpenSemaphoreW, OpenThread, OpenWaitableTimerA, OpenWaitableTimerW, OutputDebugStringA, OutputDebugStringW, PeekConsoleInputA, PeekConsoleInputW, PeekNamedPipe, PostQueuedCompletionStatus, PrepareTape, PrivCopyFileExW, PrivMoveFileIdentityW, Process32First, Process32FirstW, Process32Next, Process32NextW, ProcessIdToSessionId, PulseEvent, PurgeComm, QueryActCtxW, QueryDepthSList, QueryDosDeviceA, QueryDosDeviceW, QueryInformationJobObject, QueryMemoryResourceNotification, QueryPerformanceCounter, QueryPerformanceFrequency, QueryWin31IniFilesMappedToRegistry, QueueUserAPC, QueueUserWorkItem, RaiseException, ReadConsoleA, ReadConsoleInputA, ReadConsoleInputExA, ReadConsoleInputExW, ReadConsoleInputW, ReadConsoleOutputA, ReadConsoleOutputAttribute, ReadConsoleOutputCharacterA, ReadConsoleOutputCharacterW, ReadConsoleOutputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, ReadFileEx, ReadFileScatter, ReadProcessMemory, RegisterConsoleIME, RegisterConsoleOS2, RegisterConsoleVDM, RegisterWaitForInputIdle, RegisterWaitForSingleObject, RegisterWaitForSingleObjectEx, RegisterWowBaseHandlers, RegisterWowExec, ReleaseActCtx, ReleaseMutex, ReleaseSemaphore, RemoveDirectoryA, RemoveDirectoryW, RemoveLocalAlternateComputerNameA, RemoveLocalAlternateComputerNameW, RemoveVectoredExceptionHandler, ReplaceFile, ReplaceFileA, ReplaceFileW, RequestDeviceWakeup, RequestWakeupLatency, ResetEvent, ResetWriteWatch, RestoreLastError, ResumeThread, RtlCaptureContext, RtlCaptureStackBackTrace, RtlFillMemory, RtlMoveMemory, RtlUnwind, RtlZeroMemory, ScrollConsoleScreenBufferA, ScrollConsoleScreenBufferW, SearchPathA, SearchPathW, SetCPGlobal, SetCalendarInfoA, SetCalendarInfoW, SetClientTimeZoneInformation, SetComPlusPackageInstallStatus, SetCommBreak, SetCommConfig, SetCommMask, SetCommState, SetCommTimeouts, SetComputerNameA, SetComputerNameExA, SetComputerNameExW, SetComputerNameW, SetConsoleActiveScreenBuffer, SetConsoleCP, SetConsoleCommandHistoryMode, SetConsoleCtrlHandler, SetConsoleCursor, SetConsoleCursorInfo, SetConsoleCursorMode, SetConsoleCursorPosition, SetConsoleDisplayMode, SetConsoleFont, SetConsoleHardwareState, SetConsoleIcon, SetConsoleInputExeNameA, SetConsoleInputExeNameW, SetConsoleKeyShortcuts, SetConsoleLocalEUDC, SetConsoleMaximumWindowSize, SetConsoleMenuClose, SetConsoleMode, SetConsoleNlsMode, SetConsoleNumberOfCommandsA, SetConsoleNumberOfCommandsW, SetConsoleOS2OemFormat, SetConsoleOutputCP, SetConsolePalette, SetConsoleScreenBufferSize, SetConsoleTextAttribute, SetConsoleTitleA, SetConsoleTitleW, SetConsoleWindowInfo, SetCriticalSectionSpinCount, SetCurrentDirectoryA, SetCurrentDirectoryW, SetDefaultCommConfigA, SetDefaultCommConfigW, SetDllDirectoryA, SetDllDirectoryW, SetEndOfFile, SetEnvironmentVariableA, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileApisToANSI, SetFileApisToOEM, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFilePointerEx, SetFileShortNameA, SetFileShortNameW, SetFileTime, SetFileValidData, SetFirmwareEnvironmentVariableA, SetFirmwareEnvironmentVariableW, SetHandleContext, SetHandleCount, SetHandleInformation, SetInformationJobObject, SetLastConsoleEventActive, SetLastError, SetLocalPrimaryComputerNameA, SetLocalPrimaryComputerNameW, SetLocalTime, SetLocaleInfoA, SetLocaleInfoW, SetMailslotInfo, SetMessageWaitingIndicator, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetProcessDEPPolicy, SetProcessPriorityBoost, SetProcessShutdownParameters, SetProcessWorkingSetSize, SetSearchPathMode, SetStdHandle, SetSystemPowerState, SetSystemTime, SetSystemTimeAdjustment, SetTapeParameters, SetTapePosition, SetTermsrvAppInstallMode, SetThreadAffinityMask, SetThreadContext, SetThreadExecutionState, SetThreadIdealProcessor, SetThreadLocale, SetThreadPriority, SetThreadPriorityBoost, SetThreadUILanguage, SetTimeZoneInformation, SetTimerQueueTimer, SetUnhandledExceptionFilter, SetUserGeoID, SetVDMCurrentDirectories, SetVolumeLabelA, SetVolumeLabelW, SetVolumeMountPointA, SetVolumeMountPointW, SetWaitableTimer, SetupComm, ShowConsoleCursor, SignalObjectAndWait, SizeofResource, Sleep, SleepEx, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateJobObject, TerminateProcess, TerminateThread, TermsrvAppInstallMode, Thread32First, Thread32Next, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, Toolhelp32ReadProcessMemory, TransactNamedPipe, TransmitCommChar, TrimVirtualBuffer, TryEnterCriticalSection, TzSpecificLocalTimeToSystemTime, UTRegister, UTUnRegister, UnhandledExceptionFilter, UnlockFile, UnlockFileEx, UnmapViewOfFile, UnregisterConsoleIME, UnregisterWait, UnregisterWaitEx, UpdateResourceA, UpdateResourceW, VDMConsoleOperation, VDMOperationStarted, ValidateLCType, ValidateLocale, VerLanguageNameA, VerLanguageNameW, VerSetConditionMask, VerifyConsoleIoHandle, VerifyVersionInfoA, VerifyVersionInfoW, VirtualAlloc, VirtualAllocEx, VirtualBufferExceptionHandler, VirtualFree, VirtualFreeEx, VirtualLock, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, VirtualUnlock, WTSGetActiveConsoleSessionId, WaitCommEvent, WaitForDebugEvent, WaitForMultipleObjects, WaitForMultipleObjectsEx, WaitForSingleObject, WaitForSingleObjectEx, WaitNamedPipeA, WaitNamedPipeW, WideCharToMultiByte, WinExec, WriteConsoleA, WriteConsoleInputA, WriteConsoleInputVDMA, WriteConsoleInputVDMW, WriteConsoleInputW, WriteConsoleOutputA, WriteConsoleOutputAttribute, WriteConsoleOutputCharacterA, WriteConsoleOutputCharacterW, WriteConsoleOutputW, WriteConsoleW, WriteFile, WriteFileEx, WriteFileGather, WritePrivateProfileSectionA, WritePrivateProfileSectionW, WritePrivateProfileStringA, WritePrivateProfileStringW, WritePrivateProfileStructA, WritePrivateProfileStructW, WriteProcessMemory, WriteProfileSectionA, WriteProfileSectionW, WriteProfileStringA, WriteProfileStringW, WriteTapemark, ZombifyActCtx, _hread, _hwrite, _lclose, _lcreat, _llseek, _lopen, _lread, _lwrite, lstrcat, lstrcatA, lstrcatW, lstrcmp, lstrcmpA, lstrcmpW, lstrcmpi, lstrcmpiA, lstrcmpiW, lstrcpy, lstrcpyA, lstrcpyW, lstrcpyn, lstrcpynA, lstrcpynW, lstrlen, lstrlenA, lstrlenWExifTool:file metadataCharacterSet: UnicodeCodeSize: 537088CompanyName: Microsoft CorporationEntryPoint: 0xb64eFileDescription: Windows NT BASE API Client DLLFileFlagsMask: 0x003fFileOS: Windows NT 32-bitFileSize: 966 kBFileSubtype: 0FileType: Win32 DLLFileVersion: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)FileVersionNumber: 5.1.2600.5781ImageVersion: 5.1InitializedDataSize: 459776InternalName: kernel32LanguageCode: English (U.S.)LegalCopyright: Microsoft Corporation. All rights reserved.LinkerVersion: 7.1MIMEType: application/octet-streamMachineType: Intel 386 or later, and compatiblesOSVersion: 5.1ObjectFileType: Dynamic link libraryOriginalFilename: kernel32PEType: PE32ProductName: Microsoft Windows Operating SystemProductVersion: 5.1.2600.5781ProductVersionNumber: 5.1.2600.5781Subsystem: Windows command lineSubsystemVersion: 4.0TimeStamp: 2009:03:21 15:06:58+01:00UninitializedDataSize: 0 Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325132 Share Posted October 9, 2010 Nice! Download RootRepeal Beta on your desktop.Double click RootRepeal.exe to start the programClick on the Report tab at the bottom of the program windowClick the Scan buttonIn the Select Scan dialog, check:DriversFilesProcessesSSDTStealth ObjectsHidden Services[*]Click the OK button[*]In the next dialog, select all drives showing[*]Click OK to start the scanNote: The scan can take some time. DO NOT run any other programs while the scan is running[*]When the scan is complete, the Save Report button will become available[*]Click this and save the report to your Desktop as RootRepeal.txt[*]Go to File, then Exit to close the programIf the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325139 Share Posted October 9, 2010 It crashed. Screenshot attached.rootkitrepeal_crash.bmp Link to post Share on other sites More sharing options...
Maniac Posted October 9, 2010 ID:325145 Share Posted October 9, 2010 What about the stable version?http://ad13.geekstogo.com/RootRepeal.rar Link to post Share on other sites More sharing options...
wormfishin Posted October 9, 2010 Author ID:325157 Share Posted October 9, 2010 ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2010/10/09 18:19Program Version: Version 1.3.5.0Windows Version: Windows XP Tablet PC Edition SP3==================================================Drivers-------------------Name: dump_iaStor.sysImage Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sysAddress: 0x980ED000 Size: 778240 File Visible: No Signed: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0x96F74000 Size: 49152 File Visible: No Signed: -Status: -Hidden/Locked Files-------------------Path: c:\windows\modemlog_novatel wireless merlin cdma ev-do modem.txtStatus: Size mismatch (API: 12932, Raw: 12728)Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}Status: Invisible to the Windows API!Path: D:\System Volume Information\_restore{996E336A-58F5-476F-9F9E-844E1723D7CB}Status: Visible to the Windows API, but not on disk.Path: \\?\D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\*Status: Could not enumerate files with the Windows API (0x00000003)!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP1Status: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2Status: Invisible to the Windows API!Path: \\?\D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP1\*Status: Could not enumerate files with the Windows API (0x00000003)!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP1\change.log.1Status: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP1\RestorePointSizeStatus: Invisible to the Windows API!Path: \\?\D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\*Status: Could not enumerate files with the Windows API (0x00000003)!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\A0002234.iniStatus: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\A0003290.iniStatus: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\A0004379.iniStatus: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\A0004658.iniStatus: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\A0004687.iniStatus: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\change.logStatus: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\change.log.1Status: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\change.log.2Status: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\change.log.3Status: Invisible to the Windows API!Path: D:\System Volume Information\_r?store{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP2\change.log.4Status: Invisible to the Windows API!SSDT-------------------#: 257 Function Name: NtTerminateProcessStatus: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0x9e049620==EOF== Link to post Share on other sites More sharing options...
Maniac Posted October 10, 2010 ID:325264 Share Posted October 10, 2010 Please clear system restore points and let me know how are things now:http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx Link to post Share on other sites More sharing options...
wormfishin Posted October 10, 2010 Author ID:325317 Share Posted October 10, 2010 I cleared all the restore points and let it sit idle. About an hour later the svchost error popped up again. Link to post Share on other sites More sharing options...
Maniac Posted October 10, 2010 ID:325326 Share Posted October 10, 2010 Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.Click the Report button and copy/paste the contents of it into your next replyNote:It will also create a log in the C:\ directory. Link to post Share on other sites More sharing options...
wormfishin Posted October 10, 2010 Author ID:325642 Share Posted October 10, 2010 2010/10/10 18:42:59.0140 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:592010/10/10 18:42:59.0140 ================================================================================2010/10/10 18:42:59.0140 SystemInfo:2010/10/10 18:42:59.0140 2010/10/10 18:42:59.0140 OS Version: 5.1.2600 ServicePack: 3.02010/10/10 18:42:59.0140 Product type: Workstation2010/10/10 18:42:59.0140 ComputerName: STEVES2010/10/10 18:42:59.0140 UserName: steve2010/10/10 18:42:59.0140 Windows directory: C:\WINDOWS2010/10/10 18:42:59.0140 System windows directory: C:\WINDOWS2010/10/10 18:42:59.0140 Processor architecture: Intel x862010/10/10 18:42:59.0140 Number of processors: 22010/10/10 18:42:59.0140 Page size: 0x10002010/10/10 18:42:59.0140 Boot type: Normal boot2010/10/10 18:42:59.0140 ================================================================================2010/10/10 18:42:59.0890 Initialize success2010/10/10 18:43:02.0140 ================================================================================2010/10/10 18:43:02.0140 Scan started2010/10/10 18:43:02.0140 Mode: Manual;2010/10/10 18:43:02.0140 ================================================================================2010/10/10 18:43:03.0906 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)2010/10/10 18:43:03.0906 ================================================================================2010/10/10 18:43:03.0906 Scan finished2010/10/10 18:43:03.0906 ================================================================================2010/10/10 18:43:03.0921 Detected object count: 12010/10/10 18:43:23.0968 \HardDisk0\MBR - will be cured after reboot2010/10/10 18:43:23.0968 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure2010/10/10 18:43:36.0437 Deinitialize success Link to post Share on other sites More sharing options...
Maniac Posted October 11, 2010 ID:325782 Share Posted October 11, 2010 Nice! What is the situation now? Link to post Share on other sites More sharing options...
wormfishin Posted October 11, 2010 Author ID:325831 Share Posted October 11, 2010 It ran overnight without the error, so I think we're good!I just rebooted to make sure nothing came back, I'll let you know for sure in a few hours. Link to post Share on other sites More sharing options...
Maniac Posted October 11, 2010 ID:325969 Share Posted October 11, 2010 Good! Link to post Share on other sites More sharing options...
Recommended Posts